From 539842d6102f982b231707721531aaaa0f65143e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Mon, 25 Nov 2019 16:03:41 +0100 Subject: [PATCH] Fix a buffer overflow when processing a vstring longer than 2^31-1 --- ...low-vstring-magic-strings-over-2GB-1.patch | 67 +++++++++++++++++++ perl-Storable.spec | 10 ++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch diff --git a/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch b/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch new file mode 100644 index 0000000..e3e9819 --- /dev/null +++ b/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch @@ -0,0 +1,67 @@ +From ea1e86cfdf26a330e58ea377a80273de7110011b Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Wed, 21 Aug 2019 11:37:58 +1000 +Subject: [PATCH] disallow vstring magic strings over 2GB-1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On reads this could result in buffer overflows, so avoid writing +such large vstrings to avoid causing problems for older Storable. + +Since we no longer write such large vstrings, we don't want to accept +them. + +I doubt that restricting versions strings to under 2GB-1 will have +a practical effect on downstream users. + +fixes #17306 + +Signed-off-by: Petr Písař +--- + dist/Storable/Storable.xs | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs +index c2335680ab..d27ac58012 100644 +--- a/dist/Storable/Storable.xs ++++ b/dist/Storable/Storable.xs +@@ -2628,6 +2628,12 @@ static int store_scalar(pTHX_ stcxt_t *cxt, SV *sv) + /* The macro passes this by address, not value, and a lot of + called code assumes that it's 32 bits without checking. */ + const SSize_t len = mg->mg_len; ++ /* we no longer accept vstrings over I32_SIZE-1, so don't emit ++ them, also, older Storables handle them badly. ++ */ ++ if (len >= I32_MAX) { ++ CROAK(("vstring too large to freeze")); ++ } + STORE_PV_LEN((const char *)mg->mg_ptr, + len, SX_VSTRING, SX_LVSTRING); + } +@@ -5937,12 +5943,19 @@ static SV *retrieve_lvstring(pTHX_ stcxt_t *cxt, const char *cname) + { + #ifdef SvVOK + char *s; +- I32 len; ++ U32 len; + SV *sv; + + RLEN(len); +- TRACEME(("retrieve_lvstring (#%d), len = %" IVdf, +- (int)cxt->tagnum, (IV)len)); ++ TRACEME(("retrieve_lvstring (#%d), len = %" UVuf, ++ (int)cxt->tagnum, (UV)len)); ++ ++ /* Since we'll no longer produce such large vstrings, reject them ++ here too. ++ */ ++ if (len >= I32_MAX) { ++ CROAK(("vstring too large to fetch")); ++ } + + New(10003, s, len+1, char); + SAFEPVREAD(s, len, s); +-- +2.21.0 + diff --git a/perl-Storable.spec b/perl-Storable.spec index 127ebf5..855c4f1 100644 --- a/perl-Storable.spec +++ b/perl-Storable.spec @@ -1,7 +1,7 @@ Name: perl-Storable Epoch: 1 Version: 3.15 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Persistence for Perl data structures # __Storable__.pm: GPL+ or Artistic License: GPL+ or Artistic @@ -12,6 +12,9 @@ Source0: https://cpan.metacpan.org/authors/id/X/XS/XSAWYERX/Storable-%{ve Patch0: Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch # Fix array length check in a store hook, in Perl upstream after 5.31.2 Patch1: Storable-3.16-Storable-make-count-large-enough.patch +# Fix a buffer overflow when processing a vstring longer than 2^31-1, +# Perl GH#17306, in perl upstream after 5.31.6 +Patch2: perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch BuildRequires: gcc BuildRequires: make BuildRequires: perl-devel @@ -73,6 +76,7 @@ can be conveniently stored to disk and retrieved at a later time. %setup -q -n Storable-%{version} %patch0 -p3 %patch1 -p3 +%patch2 -p3 %build perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS" @@ -95,6 +99,10 @@ make test %{_mandir}/man3/* %changelog +* Mon Nov 25 2019 Petr Pisar - 1:3.15-4 +- Fix a buffer overflow when processing a vstring longer than 2^31-1 + (Perl GH#17306) + * Thu Aug 08 2019 Petr Pisar - 1:3.15-3 - Fix array length check in a store hook