subject:"\[oe\-core\]\[kirkstone\]\[PATCH 1\/1\] lua\: Backport fix for CVE\-2022\-33099"

Re: [oe-core][kirkstone][PATCH 1/1] lua: Backport fix for CVE-2022-33099

2022-07-27 Thread Steve Sakoman

This patch is in the set currently out for review:

https://lists.openembedded.org/g/openembedded-core/message/168524

So it should hit kirkstone in the next few days.

Steve




On Wed, Jul 27, 2022 at 7:48 AM Joe Slater  wrote:
>
> From: Khem Raj 
>
> Fixes stack overflow while handling recurring errors in Lua-stack
>
> Signed-off-by: Khem Raj 
> Signed-off-by: Richard Purdie 
> (cherry picked from commit caad9d5f7184f0fa60fa7770e5d3da3f533647cb)
> Signed-off-by: Joe Slater 
> ---
>  .../lua/lua/CVE-2022-33099.patch  | 61 +++
>  meta/recipes-devtools/lua/lua_5.4.4.bb|  1 +
>  2 files changed, 62 insertions(+)
>  create mode 100644 meta/recipes-devtools/lua/lua/CVE-2022-33099.patch
>
> diff --git a/meta/recipes-devtools/lua/lua/CVE-2022-33099.patch 
> b/meta/recipes-devtools/lua/lua/CVE-2022-33099.patch
> new file mode 100644
> index 00..fe7b6065c2
> --- /dev/null
> +++ b/meta/recipes-devtools/lua/lua/CVE-2022-33099.patch
> @@ -0,0 +1,61 @@
> +From 42d40581dd919fb134c07027ca1ce0844c670daf Mon Sep 17 00:00:00 2001
> +From: Roberto Ierusalimschy 
> +Date: Fri, 20 May 2022 13:14:33 -0300
> +Subject: [PATCH] Save stack space while handling errors
> +
> +Because error handling (luaG_errormsg) uses slots from EXTRA_STACK,
> +and some errors can recur (e.g., string overflow while creating an
> +error message in 'luaG_runerror', or a C-stack overflow before calling
> +the message handler), the code should use stack slots with parsimony.
> +
> +This commit fixes the bug "Lua-stack overflow when C stack overflows
> +while handling an error".
> +
> +CVE: CVE-2022-33099
> +
> +Upstream-Status: Backport 
> [https://github.com/lua/lua/commit/42d40581dd919fb134c07027ca1ce0844c670daf]
> +
> +Signed-off-by: Khem Raj 
> +---
> + ldebug.c | 5 -
> + lvm.c| 6 --
> + 2 files changed, 8 insertions(+), 3 deletions(-)
> +
> +--- a/src/ldebug.c
>  b/src/ldebug.c
> +@@ -824,8 +824,11 @@ l_noret luaG_runerror (lua_State *L, con
> +   va_start(argp, fmt);
> +   msg = luaO_pushvfstring(L, fmt, argp);  /* format message */
> +   va_end(argp);
> +-  if (isLua(ci))  /* if Lua function, add source:line information */
> ++  if (isLua(ci)) {  /* if Lua function, add source:line information */
> + luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci));
> ++setobjs2s(L, L->top - 2, L->top - 1);  /* remove 'msg' from the stack */
> ++L->top--;
> ++  }
> +   luaG_errormsg(L);
> + }
> +
> +--- a/src/lvm.c
>  b/src/lvm.c
> +@@ -656,8 +656,10 @@ void luaV_concat (lua_State *L, int tota
> +   /* collect total length and number of strings */
> +   for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
> + size_t l = vslen(s2v(top - n - 1));
> +-if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl))
> ++if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
> ++  L->top = top - total;  /* pop strings to avoid wasting stack */
> +   luaG_runerror(L, "string length overflow");
> ++}
> + tl += l;
> +   }
> +   if (tl <= LUAI_MAXSHORTLEN) {  /* is result a short string? */
> +@@ -672,7 +674,7 @@ void luaV_concat (lua_State *L, int tota
> +   setsvalue2s(L, top - n, ts);  /* create result */
> + }
> + total -= n-1;  /* got 'n' strings to create 1 new */
> +-L->top -= n-1;  /* popped 'n' strings and pushed one */
> ++L->top = top - (n - 1);  /* popped 'n' strings and pushed one */
> +   } while (total > 1);  /* repeat until only 1 result left */
> + }
> +
> diff --git a/meta/recipes-devtools/lua/lua_5.4.4.bb 
> b/meta/recipes-devtools/lua/lua_5.4.4.bb
> index 6f2cea5314..0b2e754b31 100644
> --- a/meta/recipes-devtools/lua/lua_5.4.4.bb
> +++ b/meta/recipes-devtools/lua/lua_5.4.4.bb
> @@ -7,6 +7,7 @@ HOMEPAGE = "http://www.lua.org/;
>  SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
> file://lua.pc.in \
> file://CVE-2022-28805.patch \
> +   file://CVE-2022-33099.patch \
> ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 
> 'http://www.lua.org/tests/lua-${PV_testsuites}-tests.tar.gz;name=tarballtest 
> file://run-ptest ', '', d)} \
> "
>
> --
> 2.25.1
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#168586): 
https://lists.openembedded.org/g/openembedded-core/message/168586
Mute This Topic: https://lists.openembedded.org/mt/92654482/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] lua: Backport fix for CVE-2022-33099

2022-07-27 Thread Joe Slater

From: Khem Raj 

Fixes stack overflow while handling recurring errors in Lua-stack

Signed-off-by: Khem Raj 
Signed-off-by: Richard Purdie 
(cherry picked from commit caad9d5f7184f0fa60fa7770e5d3da3f533647cb)
Signed-off-by: Joe Slater 
---
 .../lua/lua/CVE-2022-33099.patch  | 61 +++
 meta/recipes-devtools/lua/lua_5.4.4.bb|  1 +
 2 files changed, 62 insertions(+)
 create mode 100644 meta/recipes-devtools/lua/lua/CVE-2022-33099.patch

diff --git a/meta/recipes-devtools/lua/lua/CVE-2022-33099.patch 
b/meta/recipes-devtools/lua/lua/CVE-2022-33099.patch
new file mode 100644
index 00..fe7b6065c2
--- /dev/null
+++ b/meta/recipes-devtools/lua/lua/CVE-2022-33099.patch
@@ -0,0 +1,61 @@
+From 42d40581dd919fb134c07027ca1ce0844c670daf Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy 
+Date: Fri, 20 May 2022 13:14:33 -0300
+Subject: [PATCH] Save stack space while handling errors
+
+Because error handling (luaG_errormsg) uses slots from EXTRA_STACK,
+and some errors can recur (e.g., string overflow while creating an
+error message in 'luaG_runerror', or a C-stack overflow before calling
+the message handler), the code should use stack slots with parsimony.
+
+This commit fixes the bug "Lua-stack overflow when C stack overflows
+while handling an error".
+
+CVE: CVE-2022-33099
+
+Upstream-Status: Backport 
[https://github.com/lua/lua/commit/42d40581dd919fb134c07027ca1ce0844c670daf]
+
+Signed-off-by: Khem Raj 
+---
+ ldebug.c | 5 -
+ lvm.c| 6 --
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/src/ldebug.c
 b/src/ldebug.c
+@@ -824,8 +824,11 @@ l_noret luaG_runerror (lua_State *L, con
+   va_start(argp, fmt);
+   msg = luaO_pushvfstring(L, fmt, argp);  /* format message */
+   va_end(argp);
+-  if (isLua(ci))  /* if Lua function, add source:line information */
++  if (isLua(ci)) {  /* if Lua function, add source:line information */
+ luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci));
++setobjs2s(L, L->top - 2, L->top - 1);  /* remove 'msg' from the stack */
++L->top--;
++  }
+   luaG_errormsg(L);
+ }
+ 
+--- a/src/lvm.c
 b/src/lvm.c
+@@ -656,8 +656,10 @@ void luaV_concat (lua_State *L, int tota
+   /* collect total length and number of strings */
+   for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
+ size_t l = vslen(s2v(top - n - 1));
+-if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl))
++if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
++  L->top = top - total;  /* pop strings to avoid wasting stack */
+   luaG_runerror(L, "string length overflow");
++}
+ tl += l;
+   }
+   if (tl <= LUAI_MAXSHORTLEN) {  /* is result a short string? */
+@@ -672,7 +674,7 @@ void luaV_concat (lua_State *L, int tota
+   setsvalue2s(L, top - n, ts);  /* create result */
+ }
+ total -= n-1;  /* got 'n' strings to create 1 new */
+-L->top -= n-1;  /* popped 'n' strings and pushed one */
++L->top = top - (n - 1);  /* popped 'n' strings and pushed one */
+   } while (total > 1);  /* repeat until only 1 result left */
+ }
+ 
diff --git a/meta/recipes-devtools/lua/lua_5.4.4.bb 
b/meta/recipes-devtools/lua/lua_5.4.4.bb
index 6f2cea5314..0b2e754b31 100644
--- a/meta/recipes-devtools/lua/lua_5.4.4.bb
+++ b/meta/recipes-devtools/lua/lua_5.4.4.bb
@@ -7,6 +7,7 @@ HOMEPAGE = "http://www.lua.org/;
 SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
file://lua.pc.in \
file://CVE-2022-28805.patch \
+   file://CVE-2022-33099.patch \
${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 
'http://www.lua.org/tests/lua-${PV_testsuites}-tests.tar.gz;name=tarballtest 
file://run-ptest ', '', d)} \
"
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#168584): 
https://lists.openembedded.org/g/openembedded-core/message/168584
Mute This Topic: https://lists.openembedded.org/mt/92654482/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe-core][kirkstone][PATCH 1/1] lua: Backport fix for CVE-2022-33099

[oe-core][kirkstone][PATCH 1/1] lua: Backport fix for CVE-2022-33099

2 matches

Site Navigation

Mail list logo

Footer information