From 25f768ebd125b9ac866a726d2b0a475aa1639e18 Mon Sep 17 00:00:00 2001 From: cenhuilin Date: Wed, 20 Jul 2022 09:03:19 +0800 Subject: [PATCH] fix CVE-2022-33099 --- backport-CVE-2022-33099.patch | 62 +++++++++++++++++++++++++++++++++++ lua.spec | 7 +++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-33099.patch diff --git a/backport-CVE-2022-33099.patch b/backport-CVE-2022-33099.patch new file mode 100644 index 0000000..2455e10 --- /dev/null +++ b/backport-CVE-2022-33099.patch @@ -0,0 +1,62 @@ +From 3652d758ec6a4113e139baa66c9693afbf58fed6 Mon Sep 17 00:00:00 2001 +From: cenhuilin +Date: Tue, 12 Jul 2022 10:53:55 +0800 +Subject: [PATCH] Save stack space while handling errors + +Because error handling (luaG_errormsg) uses slots from EXTRA_STACK, +and some errors can recur (e.g., string overflow while creating an +error message in 'luaG_runerror', or a C-stack overflow before calling +the message handler), the code should use stack slots with parsimony. + +This commit fixes the bug "Lua-stack overflow when C stack overflows +while handling an error". +--- + src/ldebug.c | 5 ++++- + src/lvm.c | 6 ++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/ldebug.c b/src/ldebug.c +index 1feaab2..5524fae 100644 +--- a/src/ldebug.c ++++ b/src/ldebug.c +@@ -783,8 +783,11 @@ l_noret luaG_runerror (lua_State *L, const char *fmt, ...) { + va_start(argp, fmt); + msg = luaO_pushvfstring(L, fmt, argp); /* format message */ + va_end(argp); +- if (isLua(ci)) /* if Lua function, add source:line information */ ++ if (isLua(ci)) { /* if Lua function, add source:line information */ + luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci)); ++ setobjs2s(L, L->top - 2, L->top - 1); /* remove 'msg' from the stack */ ++ L->top--; ++ } + luaG_errormsg(L); + } + +diff --git a/src/lvm.c b/src/lvm.c +index c9729bc..a965087 100644 +--- a/src/lvm.c ++++ b/src/lvm.c +@@ -656,8 +656,10 @@ void luaV_concat (lua_State *L, int total) { + /* collect total length and number of strings */ + for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) { + size_t l = vslen(s2v(top - n - 1)); +- if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) ++ if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { ++ L->top = top - total; /* pop strings to avoid wasting stack */ + luaG_runerror(L, "string length overflow"); ++ } + tl += l; + } + if (tl <= LUAI_MAXSHORTLEN) { /* is result a short string? */ +@@ -672,7 +674,7 @@ void luaV_concat (lua_State *L, int total) { + setsvalue2s(L, top - n, ts); /* create result */ + } + total -= n-1; /* got 'n' strings to create 1 new */ +- L->top -= n-1; /* popped 'n' strings and pushed one */ ++ L->top = top - (n - 1); /* popped 'n' strings and pushed one */ + } while (total > 1); /* repeat until only 1 result left */ + } + +-- +2.33.0 + diff --git a/lua.spec b/lua.spec index d5fa0e7..be12929 100644 --- a/lua.spec +++ b/lua.spec @@ -6,7 +6,7 @@ Name: lua Version: 5.4.3 -Release: 6 +Release: 7 Summary: A powerful, efficient, lightweight, embeddable scripting language License: MIT URL: http://www.lua.org/ @@ -26,6 +26,7 @@ Patch3: lua-5.3.0-configure-compat-module.patch Patch6000: backport-CVE-2021-43519.patch Patch6001: backport-CVE-2021-44647.patch Patch6002: backport-CVE-2022-28805.patch +Patch6003: backport-CVE-2022-33099.patch BuildRequires: automake autoconf libtool readline-devel ncurses-devel @@ -61,6 +62,7 @@ mv src/luaconf.h src/luaconf.h.template.in %patch6000 -p1 %patch6001 -p1 %patch6002 -p1 +%patch6003 -p1 # Put proper version in configure.ac, patch0 hardcodes 5.3.0 sed -i 's|5.3.0|%{version}|g' configure.ac @@ -135,6 +137,9 @@ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} $RPM_BUILD_ROOT/%{_bindir}/lua -e"_U= %{_mandir}/man1/lua*.1* %changelog +* Tue Jul 12 2022 cenhuilin - 5.4.3-7 +- fix CVE-2022-33099 + * Fri Apr 15 2022 shixuantong - 5.4.3-6 - fix CVE-2021-44647 CVE-2022-28805 -- Gitee