From 24d3eb7629d3e20a9c0d3dd47c84e75003df1199 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sat, 10 Feb 2024 18:13:10 -0800 Subject: [PATCH] lua5.3: backport CVE fix Also refreshed some patches Signed-off-by: Rosen Penev --- package/utils/lua5.3/Makefile | 2 +- .../001-include-version-number.patch | 1 - .../patches-host/200-CVE-2019-6706.patch | 51 ++++++++++++++++ .../patches/001-include-version-number.patch | 1 - .../lua5.3/patches/020-shared_liblua.patch | 60 +++++++++---------- .../lua5.3/patches/200-CVE-2019-6706.patch | 51 ++++++++++++++++ 6 files changed, 133 insertions(+), 33 deletions(-) create mode 100644 package/utils/lua5.3/patches-host/200-CVE-2019-6706.patch create mode 100644 package/utils/lua5.3/patches/200-CVE-2019-6706.patch diff --git a/package/utils/lua5.3/Makefile b/package/utils/lua5.3/Makefile index 0a295040f2..405fa90145 100644 --- a/package/utils/lua5.3/Makefile +++ b/package/utils/lua5.3/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lua PKG_VERSION:=5.3.5 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.lua.org/ftp/ \ diff --git a/package/utils/lua5.3/patches-host/001-include-version-number.patch b/package/utils/lua5.3/patches-host/001-include-version-number.patch index 78f0054960..1c9fdb250b 100644 --- a/package/utils/lua5.3/patches-host/001-include-version-number.patch +++ b/package/utils/lua5.3/patches-host/001-include-version-number.patch @@ -8,7 +8,6 @@ Including it allows multiple lua versions to coexist. Signed-off-by: Rafał Miłecki --- -diff --git a/Makefile b/Makefile --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ PLAT= none diff --git a/package/utils/lua5.3/patches-host/200-CVE-2019-6706.patch b/package/utils/lua5.3/patches-host/200-CVE-2019-6706.patch new file mode 100644 index 0000000000..8024d414cc --- /dev/null +++ b/package/utils/lua5.3/patches-host/200-CVE-2019-6706.patch @@ -0,0 +1,51 @@ +From 89aee84cbc9224f638f3b7951b306d2ee8ecb71e Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy +Date: Wed, 27 Mar 2019 14:30:12 -0300 +Subject: [PATCH] Fixed bug in 'lua_upvaluejoin' + +Bug-fix: joining an upvalue with itself could cause a use-after-free +crash. +--- + src/lapi.c | 12 +++++------ + 1 file changed, 41 insertions(+), 39 deletions(-) + +--- a/src/lapi.c ++++ b/src/lapi.c +@@ -1254,13 +1254,12 @@ LUA_API const char *lua_setupvalue (lua_ + } + + +-static UpVal **getupvalref (lua_State *L, int fidx, int n, LClosure **pf) { ++static UpVal **getupvalref (lua_State *L, int fidx, int n) { + LClosure *f; + StkId fi = index2addr(L, fidx); + api_check(L, ttisLclosure(fi), "Lua function expected"); + f = clLvalue(fi); + api_check(L, (1 <= n && n <= f->p->sizeupvalues), "invalid upvalue index"); +- if (pf) *pf = f; + return &f->upvals[n - 1]; /* get its upvalue pointer */ + } + +@@ -1269,7 +1268,7 @@ LUA_API void *lua_upvalueid (lua_State * + StkId fi = index2addr(L, fidx); + switch (ttype(fi)) { + case LUA_TLCL: { /* lua closure */ +- return *getupvalref(L, fidx, n, NULL); ++ return *getupvalref(L, fidx, n); + } + case LUA_TCCL: { /* C closure */ + CClosure *f = clCvalue(fi); +@@ -1286,9 +1285,10 @@ LUA_API void *lua_upvalueid (lua_State * + + LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1, + int fidx2, int n2) { +- LClosure *f1; +- UpVal **up1 = getupvalref(L, fidx1, n1, &f1); +- UpVal **up2 = getupvalref(L, fidx2, n2, NULL); ++ UpVal **up1 = getupvalref(L, fidx1, n1); ++ UpVal **up2 = getupvalref(L, fidx2, n2); ++ if (*up1 == *up2) ++ return; + luaC_upvdeccount(L, *up1); + *up1 = *up2; + (*up1)->refcount++; diff --git a/package/utils/lua5.3/patches/001-include-version-number.patch b/package/utils/lua5.3/patches/001-include-version-number.patch index 78f0054960..1c9fdb250b 100644 --- a/package/utils/lua5.3/patches/001-include-version-number.patch +++ b/package/utils/lua5.3/patches/001-include-version-number.patch @@ -8,7 +8,6 @@ Including it allows multiple lua versions to coexist. Signed-off-by: Rafał Miłecki --- -diff --git a/Makefile b/Makefile --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ PLAT= none diff --git a/package/utils/lua5.3/patches/020-shared_liblua.patch b/package/utils/lua5.3/patches/020-shared_liblua.patch index 7fa9652290..a462fa4f1e 100644 --- a/package/utils/lua5.3/patches/020-shared_liblua.patch +++ b/package/utils/lua5.3/patches/020-shared_liblua.patch @@ -1,5 +1,5 @@ ---- a/Makefile 2019-07-02 09:24:57.554332875 -0600 -+++ b/Makefile 2019-07-02 09:25:42.626694604 -0600 +--- a/Makefile ++++ b/Makefile @@ -41,7 +41,7 @@ PLATS= aix bsd c89 freebsd generic linux # What to install. TO_BIN= lua$V luac$V @@ -19,8 +19,8 @@ cd doc && $(INSTALL_DATA) $(TO_MAN) $(INSTALL_MAN) uninstall: ---- a/src/ldo.h 2017-04-19 11:20:42.000000000 -0600 -+++ b/src/ldo.h 2019-07-02 09:25:42.626694604 -0600 +--- a/src/ldo.h ++++ b/src/ldo.h @@ -47,8 +47,8 @@ LUAI_FUNC int luaD_pcall (lua_State *L, LUAI_FUNC int luaD_poscall (lua_State *L, CallInfo *ci, StkId firstResult, int nres); @@ -32,8 +32,8 @@ LUAI_FUNC void luaD_inctop (lua_State *L); LUAI_FUNC l_noret luaD_throw (lua_State *L, int errcode); ---- a/src/lfunc.h 2017-04-19 11:39:34.000000000 -0600 -+++ b/src/lfunc.h 2019-07-02 09:25:42.630694635 -0600 +--- a/src/lfunc.h ++++ b/src/lfunc.h @@ -47,14 +47,14 @@ struct UpVal { #define upisopen(up) ((up)->v != &(up)->u.value) @@ -55,8 +55,8 @@ int pc); ---- a/src/lgc.h 2017-04-19 11:39:34.000000000 -0600 -+++ b/src/lgc.h 2019-07-02 09:25:42.634694666 -0600 +--- a/src/lgc.h ++++ b/src/lgc.h @@ -133,11 +133,11 @@ LUAI_FUNC void luaC_fix (lua_State *L, GCObject *o); @@ -71,8 +71,8 @@ LUAI_FUNC void luaC_barrierback_ (lua_State *L, Table *o); LUAI_FUNC void luaC_upvalbarrier_ (lua_State *L, UpVal *uv); LUAI_FUNC void luaC_checkfinalizer (lua_State *L, GCObject *o, Table *mt); ---- a/src/llex.h 2017-04-19 11:20:42.000000000 -0600 -+++ b/src/llex.h 2019-07-02 09:25:42.630694635 -0600 +--- a/src/llex.h ++++ b/src/llex.h @@ -73,13 +73,13 @@ typedef struct LexState { @@ -92,8 +92,8 @@ #endif ---- a/src/lmem.h 2017-04-19 11:20:42.000000000 -0600 -+++ b/src/lmem.h 2019-07-02 09:25:42.630694635 -0600 +--- a/src/lmem.h ++++ b/src/lmem.h @@ -56,12 +56,12 @@ #define luaM_reallocvector(L, v,oldn,n,t) \ ((v)=cast(t *, luaM_reallocv(L, v, oldn, n, sizeof(t)))) @@ -110,8 +110,8 @@ size_t size_elem, int limit, const char *what); ---- a/src/lobject.h 2017-04-19 11:39:34.000000000 -0600 -+++ b/src/lobject.h 2019-07-02 09:25:42.630694635 -0600 +--- a/src/lobject.h ++++ b/src/lobject.h @@ -525,7 +525,7 @@ typedef struct Table { #define luaO_nilobject (&luaO_nilobject_) @@ -141,8 +141,8 @@ #endif ---- a/src/lopcodes.h 2017-04-19 11:20:42.000000000 -0600 -+++ b/src/lopcodes.h 2019-07-02 09:25:42.630694635 -0600 +--- a/src/lopcodes.h ++++ b/src/lopcodes.h @@ -278,7 +278,7 @@ enum OpArgMask { OpArgK /* argument is a constant or register/constant */ }; @@ -161,8 +161,8 @@ /* number of list items to accumulate before a SETLIST instruction */ ---- a/src/lstate.h 2017-04-19 11:39:34.000000000 -0600 -+++ b/src/lstate.h 2019-07-02 09:25:42.630694635 -0600 +--- a/src/lstate.h ++++ b/src/lstate.h @@ -244,9 +244,9 @@ union GCUnion { LUAI_FUNC void luaE_setdebt (global_State *g, l_mem debt); @@ -176,8 +176,8 @@ #endif ---- a/src/lstring.h 2017-04-19 11:20:42.000000000 -0600 -+++ b/src/lstring.h 2019-07-02 09:25:42.630694635 -0600 +--- a/src/lstring.h ++++ b/src/lstring.h @@ -35,15 +35,15 @@ LUAI_FUNC unsigned int luaS_hash (const char *str, size_t l, unsigned int seed); @@ -198,8 +198,8 @@ #endif ---- a/src/ltable.h 2018-05-24 13:39:05.000000000 -0600 -+++ b/src/ltable.h 2019-07-02 09:25:42.630694635 -0600 +--- a/src/ltable.h ++++ b/src/ltable.h @@ -41,14 +41,14 @@ @@ -218,8 +218,8 @@ LUAI_FUNC void luaH_resize (lua_State *L, Table *t, unsigned int nasize, unsigned int nhsize); LUAI_FUNC void luaH_resizearray (lua_State *L, Table *t, unsigned int nasize); ---- a/src/ltm.h 2017-04-19 11:20:42.000000000 -0600 -+++ b/src/ltm.h 2019-07-02 09:25:42.634694666 -0600 +--- a/src/ltm.h ++++ b/src/ltm.h @@ -55,10 +55,10 @@ typedef enum { LUAI_DDEC const char *const luaT_typenames_[LUA_TOTALTAGS]; @@ -245,8 +245,8 @@ const TValue *p2, TMS event); ---- a/src/lundump.h 2017-04-19 11:20:42.000000000 -0600 -+++ b/src/lundump.h 2019-07-02 09:25:42.634694666 -0600 +--- a/src/lundump.h ++++ b/src/lundump.h @@ -23,10 +23,10 @@ #define LUAC_FORMAT 0 /* this is the official format */ @@ -260,8 +260,8 @@ void* data, int strip); #endif ---- a/src/lzio.h 2017-04-19 11:20:42.000000000 -0600 -+++ b/src/lzio.h 2019-07-02 09:25:42.634694666 -0600 +--- a/src/lzio.h ++++ b/src/lzio.h @@ -61,6 +61,6 @@ struct Zio { }; @@ -270,8 +270,8 @@ +LUA_API int luaZ_fill (ZIO *z); #endif ---- a/src/Makefile 2019-07-02 09:24:57.554332875 -0600 -+++ b/src/Makefile 2019-07-02 09:25:42.630694635 -0600 +--- a/src/Makefile ++++ b/src/Makefile @@ -29,6 +29,7 @@ MYOBJS= PLATS= aix bsd c89 freebsd generic linux macosx mingw posix solaris diff --git a/package/utils/lua5.3/patches/200-CVE-2019-6706.patch b/package/utils/lua5.3/patches/200-CVE-2019-6706.patch new file mode 100644 index 0000000000..8024d414cc --- /dev/null +++ b/package/utils/lua5.3/patches/200-CVE-2019-6706.patch @@ -0,0 +1,51 @@ +From 89aee84cbc9224f638f3b7951b306d2ee8ecb71e Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy +Date: Wed, 27 Mar 2019 14:30:12 -0300 +Subject: [PATCH] Fixed bug in 'lua_upvaluejoin' + +Bug-fix: joining an upvalue with itself could cause a use-after-free +crash. +--- + src/lapi.c | 12 +++++------ + 1 file changed, 41 insertions(+), 39 deletions(-) + +--- a/src/lapi.c ++++ b/src/lapi.c +@@ -1254,13 +1254,12 @@ LUA_API const char *lua_setupvalue (lua_ + } + + +-static UpVal **getupvalref (lua_State *L, int fidx, int n, LClosure **pf) { ++static UpVal **getupvalref (lua_State *L, int fidx, int n) { + LClosure *f; + StkId fi = index2addr(L, fidx); + api_check(L, ttisLclosure(fi), "Lua function expected"); + f = clLvalue(fi); + api_check(L, (1 <= n && n <= f->p->sizeupvalues), "invalid upvalue index"); +- if (pf) *pf = f; + return &f->upvals[n - 1]; /* get its upvalue pointer */ + } + +@@ -1269,7 +1268,7 @@ LUA_API void *lua_upvalueid (lua_State * + StkId fi = index2addr(L, fidx); + switch (ttype(fi)) { + case LUA_TLCL: { /* lua closure */ +- return *getupvalref(L, fidx, n, NULL); ++ return *getupvalref(L, fidx, n); + } + case LUA_TCCL: { /* C closure */ + CClosure *f = clCvalue(fi); +@@ -1286,9 +1285,10 @@ LUA_API void *lua_upvalueid (lua_State * + + LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1, + int fidx2, int n2) { +- LClosure *f1; +- UpVal **up1 = getupvalref(L, fidx1, n1, &f1); +- UpVal **up2 = getupvalref(L, fidx2, n2, NULL); ++ UpVal **up1 = getupvalref(L, fidx1, n1); ++ UpVal **up2 = getupvalref(L, fidx2, n2); ++ if (*up1 == *up2) ++ return; + luaC_upvdeccount(L, *up1); + *up1 = *up2; + (*up1)->refcount++; -- 2.30.2