Fix a stack buffer overflow in deserialization of hooks
This commit is contained in:
parent
c4a917f963
commit
73872437b6
|
@ -0,0 +1,103 @@
|
||||||
|
From c34e1dd29983e5d36d367462b9b4b4b8fcd5a0f8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||||
|
Date: Mon, 6 Feb 2017 15:13:41 +0100
|
||||||
|
Subject: [PATCH] Fix stack buffer overflow in deserialization of hooks.
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Ported from perl:
|
||||||
|
|
||||||
|
commit 3e998ddfb597cfae7bdb460b22e6c50440b1de92
|
||||||
|
Author: John Lightsey <jd@cpanel.net>
|
||||||
|
Date: Tue Jan 24 10:30:18 2017 -0600
|
||||||
|
|
||||||
|
Fix stack buffer overflow in deserialization of hooks.
|
||||||
|
|
||||||
|
The use of signed lengths resulted in a stack overflow in retrieve_hook()
|
||||||
|
when a negative length was provided in the storable data.
|
||||||
|
|
||||||
|
The retrieve_blessed() codepath had a similar problem with the placement
|
||||||
|
of the trailing null byte when negative lengths were provided.
|
||||||
|
|
||||||
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||||
|
---
|
||||||
|
Storable.xs | 11 +++++++++--
|
||||||
|
t/store.t | 12 +++++++++++-
|
||||||
|
2 files changed, 20 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Storable.xs b/Storable.xs
|
||||||
|
index bc15d1d..3cce3ed 100644
|
||||||
|
--- a/Storable.xs
|
||||||
|
+++ b/Storable.xs
|
||||||
|
@@ -4016,7 +4016,7 @@ static SV *retrieve_idx_blessed(pTHX_ stcxt_t *cxt, const char *cname)
|
||||||
|
*/
|
||||||
|
static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
|
||||||
|
{
|
||||||
|
- I32 len;
|
||||||
|
+ U32 len;
|
||||||
|
SV *sv;
|
||||||
|
char buf[LG_BLESS + 1]; /* Avoid malloc() if possible */
|
||||||
|
char *classname = buf;
|
||||||
|
@@ -4037,6 +4037,9 @@ static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
|
||||||
|
if (len & 0x80) {
|
||||||
|
RLEN(len);
|
||||||
|
TRACEME(("** allocating %d bytes for class name", len+1));
|
||||||
|
+ if (len > I32_MAX) {
|
||||||
|
+ CROAK(("Corrupted classname length"));
|
||||||
|
+ }
|
||||||
|
New(10003, classname, len+1, char);
|
||||||
|
malloced_classname = classname;
|
||||||
|
}
|
||||||
|
@@ -4087,7 +4090,7 @@ static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
|
||||||
|
*/
|
||||||
|
static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
|
||||||
|
{
|
||||||
|
- I32 len;
|
||||||
|
+ U32 len;
|
||||||
|
char buf[LG_BLESS + 1]; /* Avoid malloc() if possible */
|
||||||
|
char *classname = buf;
|
||||||
|
unsigned int flags;
|
||||||
|
@@ -4221,6 +4224,10 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
|
||||||
|
else
|
||||||
|
GETMARK(len);
|
||||||
|
|
||||||
|
+ if (len > I32_MAX) {
|
||||||
|
+ CROAK(("Corrupted classname length"));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (len > LG_BLESS) {
|
||||||
|
TRACEME(("** allocating %d bytes for class name", len+1));
|
||||||
|
New(10003, classname, len+1, char);
|
||||||
|
diff --git a/t/store.t b/t/store.t
|
||||||
|
index be43299..1cbf021 100644
|
||||||
|
--- a/t/store.t
|
||||||
|
+++ b/t/store.t
|
||||||
|
@@ -19,7 +19,7 @@ sub BEGIN {
|
||||||
|
|
||||||
|
use Storable qw(store retrieve store_fd nstore_fd fd_retrieve);
|
||||||
|
|
||||||
|
-use Test::More tests => 21;
|
||||||
|
+use Test::More tests => 22;
|
||||||
|
|
||||||
|
$a = 'toto';
|
||||||
|
$b = \$a;
|
||||||
|
@@ -87,5 +87,15 @@ is(&dump($r), &dump(\%a));
|
||||||
|
eval { $r = fd_retrieve(::OUT); };
|
||||||
|
isnt($@, '');
|
||||||
|
|
||||||
|
+{
|
||||||
|
+
|
||||||
|
+ my $frozen =
|
||||||
|
+ "\x70\x73\x74\x30\x04\x0a\x08\x31\x32\x33\x34\x35\x36\x37\x38\x04\x08\x08\x08\x03\xff\x00\x00\x00\x19\x08\xff\x00\x00\x00\x08\x08\xf9\x16\x16\x13\x16\x10\x10\x10\xff\x15\x16\x16\x16\x1e\x16\x16\x16\x16\x16\x16\x16\x16\x16\x16\x13\xf0\x16\x16\x16\xfe\x16\x41\x41\x41\x41\xe8\x03\x41\x41\x41\x41\x41\x41\x41\x41\x51\x41\xa9\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xb8\xac\xac\xac\xac\xac\xac\xac\xac\x9a\xac\xac\xac\xac\xac\xac\xac\xac\xac\x93\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\x00\x64\xac\xa8\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\x2c\xac\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x80\x41\x80\x41\x41\x41\x41\x41\x41\x51\x41\xac\xac\xac";
|
||||||
|
+ open my $fh, '<', \$frozen;
|
||||||
|
+ eval { Storable::fd_retrieve($fh); };
|
||||||
|
+ pass('RT 130635: no stack smashing error when retrieving hook');
|
||||||
|
+
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
close OUT or die "Could not close: $!";
|
||||||
|
END { 1 while unlink 'store' }
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
Name: perl-Storable
|
Name: perl-Storable
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.56
|
Version: 2.56
|
||||||
Release: 367%{?dist}
|
Release: 368%{?dist}
|
||||||
Summary: Persistence for Perl data structures
|
Summary: Persistence for Perl data structures
|
||||||
License: GPL+ or Artistic
|
License: GPL+ or Artistic
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
|
@ -18,6 +18,9 @@ Patch2: Storable-2.56-CVE-2016-1238-avoid-loading-optional-modules-from.
|
||||||
# Fix crash in Storable when deserializing malformed code reference, RT#68348,
|
# Fix crash in Storable when deserializing malformed code reference, RT#68348,
|
||||||
# RT130098
|
# RT130098
|
||||||
Patch3: perl-5.25.7-Fix-Storable-segfaults.patch
|
Patch3: perl-5.25.7-Fix-Storable-segfaults.patch
|
||||||
|
# Fix a stack buffer overflow in deserialization of hooks, RT#130635,
|
||||||
|
# fixed in perl after 5.25.9
|
||||||
|
Patch4: Storable-2.56-Fix-stack-buffer-overflow-in-deserialization-of-hook.patch
|
||||||
BuildRequires: coreutils
|
BuildRequires: coreutils
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
|
@ -77,6 +80,7 @@ can be conveniently stored to disk and retrieved at a later time.
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p3
|
%patch3 -p3
|
||||||
|
%patch4 -p1
|
||||||
# Remove bundled modules
|
# Remove bundled modules
|
||||||
rm -rf t/compat
|
rm -rf t/compat
|
||||||
sed -i -e '/^t\/compat\//d' MANIFEST
|
sed -i -e '/^t\/compat\//d' MANIFEST
|
||||||
|
@ -103,6 +107,9 @@ make test
|
||||||
%{_mandir}/man3/*
|
%{_mandir}/man3/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 06 2017 Petr Pisar <ppisar@redhat.com> - 1:2.56-368
|
||||||
|
- Fix a stack buffer overflow in deserialization of hooks (RT#130635)
|
||||||
|
|
||||||
* Tue Dec 20 2016 Petr Pisar <ppisar@redhat.com> - 1:2.56-367
|
* Tue Dec 20 2016 Petr Pisar <ppisar@redhat.com> - 1:2.56-367
|
||||||
- Fix crash in Storable when deserializing malformed code reference
|
- Fix crash in Storable when deserializing malformed code reference
|
||||||
(RT#68348, RT#130098)
|
(RT#68348, RT#130098)
|
||||||
|
|
Loading…
Reference in New Issue