ppisar pushed to perl (f25). "Fix an use-after-free in substr() that modifies a magic variable"

notifications Wed, 08 Mar 2017 08:19:08 -0800

From 1a0a0569c54ec32ce500f4e94c1b4a30a75c261e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Wed, 8 Mar 2017 11:58:24 +0100
Subject: Fix an use-after-free in substr() that modifies a magic variable


---
 ...-copy-the-source-when-inside-the-dest-in-.patch | 104 +++++++++++++++++++++
 perl.spec                                          |   7 ++
 2 files changed, 111 insertions(+)
 create mode 100644 
perl-5.24.1-perl-129340-copy-the-source-when-inside-the-dest-in-.patch

diff --git 
a/perl-5.24.1-perl-129340-copy-the-source-when-inside-the-dest-in-.patch 
b/perl-5.24.1-perl-129340-copy-the-source-when-inside-the-dest-in-.patch
new file mode 100644
index 0000000..f400675
--- /dev/null
+++ b/perl-5.24.1-perl-129340-copy-the-source-when-inside-the-dest-in-.patch
@@ -0,0 +1,104 @@
+From 4fe0e2d067ac5639d94f35f8c7e8ac4e0e3ab336 Mon Sep 17 00:00:00 2001
+From: Tony Cook <t...@develop-help.com>
+Date: Mon, 20 Feb 2017 11:02:21 +1100
+Subject: [PATCH] (perl #129340) copy the source when inside the dest in
+ sv_insert_flags()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported to 5.24.1:
+
+commit e7a8a8aac45d42d72d1586227ca51771f193f5dc
+Author: Tony Cook <t...@develop-help.com>
+Date:   Mon Feb 20 11:02:21 2017 +1100
+
+    (perl #129340) copy the source when inside the dest in sv_insert_flags()
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ embed.fnc     |  2 +-
+ proto.h       |  2 +-
+ sv.c          | 12 +++++++++++-
+ t/op/substr.t |  5 ++++-
+ 4 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/embed.fnc b/embed.fnc
+index a64ffba..2395efb 100644
+--- a/embed.fnc
++++ b/embed.fnc
+@@ -1437,7 +1437,7 @@ Amdb     |void   |sv_insert      |NN SV *const 
bigstr|const STRLEN offset \
+                               |const STRLEN len|NN const char *const little \
+                               |const STRLEN littlelen
+ Apd   |void   |sv_insert_flags|NN SV *const bigstr|const STRLEN offset|const 
STRLEN len \
+-                              |NN const char *const little|const STRLEN 
littlelen|const U32 flags
++                              |NN const char *little|const STRLEN 
littlelen|const U32 flags
+ Apd   |int    |sv_isa         |NULLOK SV* sv|NN const char *const name
+ Apd   |int    |sv_isobject    |NULLOK SV* sv
+ Apd   |STRLEN |sv_len         |NULLOK SV *const sv
+diff --git a/proto.h b/proto.h
+index fb4ee29..2b2004a 100644
+--- a/proto.h
++++ b/proto.h
+@@ -3015,7 +3015,7 @@ PERL_CALLCONV void       Perl_sv_inc_nomg(pTHX_ SV 
*const sv);
+ /* PERL_CALLCONV void Perl_sv_insert(pTHX_ SV *const bigstr, const STRLEN 
offset, const STRLEN len, const char *const little, const STRLEN littlelen); */
+ #define PERL_ARGS_ASSERT_SV_INSERT    \
+       assert(bigstr); assert(little)
+-PERL_CALLCONV void    Perl_sv_insert_flags(pTHX_ SV *const bigstr, const 
STRLEN offset, const STRLEN len, const char *const little, const STRLEN 
littlelen, const U32 flags);
++PERL_CALLCONV void    Perl_sv_insert_flags(pTHX_ SV *const bigstr, const 
STRLEN offset, const STRLEN len, const char *little, const STRLEN littlelen, 
const U32 flags);
+ #define PERL_ARGS_ASSERT_SV_INSERT_FLAGS      \
+       assert(bigstr); assert(little)
+ PERL_CALLCONV int     Perl_sv_isa(pTHX_ SV* sv, const char *const name);
+diff --git a/sv.c b/sv.c
+index d1e84f0..697db41 100644
+--- a/sv.c
++++ b/sv.c
+@@ -6223,7 +6223,7 @@ C<SvPV_force_flags> that applies to C<bigstr>.
+ */
+ 
+ void
+-Perl_sv_insert_flags(pTHX_ SV *const bigstr, const STRLEN offset, const 
STRLEN len, const char *const little, const STRLEN littlelen, const U32 flags)
++Perl_sv_insert_flags(pTHX_ SV *const bigstr, const STRLEN offset, const 
STRLEN len, const char *little, const STRLEN littlelen, const U32 flags)
+ {
+     char *big;
+     char *mid;
+@@ -6236,6 +6236,16 @@ Perl_sv_insert_flags(pTHX_ SV *const bigstr, const 
STRLEN offset, const STRLEN l
+ 
+     SvPV_force_flags(bigstr, curlen, flags);
+     (void)SvPOK_only_UTF8(bigstr);
++
++    if (little >= SvPVX(bigstr) &&
++        little < SvPVX(bigstr) + (SvLEN(bigstr) ? SvLEN(bigstr) : 
SvCUR(bigstr))) {
++        /* little is a pointer to within bigstr, since we can reallocate 
bigstr,
++           or little...little+littlelen might overlap offset...offset+len we 
make a copy
++        */
++        little = savepvn(little, littlelen);
++        SAVEFREEPV(little);
++    }
++
+     if (offset + len > curlen) {
+       SvGROW(bigstr, offset+len+1);
+       Zero(SvPVX(bigstr)+curlen, offset+len-curlen, char);
+diff --git a/t/op/substr.t b/t/op/substr.t
+index eae2403..01c36a9 100644
+--- a/t/op/substr.t
++++ b/t/op/substr.t
+@@ -22,7 +22,7 @@ $SIG{__WARN__} = sub {
+      }
+ };
+ 
+-plan(388);
++plan(389);
+ 
+ run_tests() unless caller;
+ 
+@@ -869,3 +869,6 @@ is($destroyed, 1, 'Timely scalar destruction with lvalue 
substr');
+ 
+     is($result_3363, "best", "ref-to-substr retains lvalue-ness under 
recursion [perl #3363]");
+ }
++
++# failed with ASAN
++fresh_perl_is('$0 = "/usr/bin/perl"; substr($0, 0, 0, $0)', '', {}, "(perl 
#129340) substr() with source in target");
+-- 
+2.7.4
+
diff --git a/perl.spec b/perl.spec
index 5b6dfda..a135946 100644
--- a/perl.spec
+++ b/perl.spec
@@ -299,6 +299,10 @@ Patch84:        
perl-5.25.9-avoid-a-leak-in-list-assign-from-to-magic-values.pat
 # in upstream after 5.25.9
 Patch85:        
perl-5.24.1-perl-130815-fix-ck_return-null-pointer-deref-on-malf.patch
 
+# Fix an use-after-free in substr() that modifies a magic variable, RT#129340,
+# in upstream after 5.25.9
+Patch86:        
perl-5.24.1-perl-129340-copy-the-source-when-inside-the-dest-in-.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       
perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -3007,6 +3011,7 @@ Perl extension for Version Objects
 %patch83 -p1
 %patch84 -p1
 %patch85 -p1
+%patch86 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -3077,6 +3082,7 @@ perl -x patchlevel.h \
     'Fedora Patch83: Fix a heap buffer overflow when evaluating regexps with 
embedded code blocks from more than one source, RT#129881' \
     'Fedora Patch84: Fix a memory leak in list assignment from or to magic 
values, (RT#130766)' \
     'Fedora Patch85: Fix a null-pointer dereference on malformed code 
(RT#130815)' \
+    'Fedora Patch86: Fix an use-after-free in substr() that modifies a magic 
variable (RT#129340)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on 
Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -5357,6 +5363,7 @@ popd
 %changelog
 * Wed Mar 08 2017 Petr Pisar <ppi...@redhat.com> - 4:5.24.1-385
 - Fix a null-pointer dereference on malformed code (RT#130815)
+- Fix an use-after-free in substr() that modifies a magic variable (RT#129340)
 
 * Fri Feb 17 2017 Petr Pisar <ppi...@redhat.com> - 4:5.24.1-384
 - Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)
-- 
cgit v1.1


        
https://src.fedoraproject.org/cgit/perl.git/commit/?h=f25&id=1a0a0569c54ec32ce500f4e94c1b4a30a75c261e
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org

ppisar pushed to perl (f25). "Fix an use-after-free in substr() that modifies a magic variable"

Reply via email to