Message ID | 20220509074009.12239-1-omkarpatil10.93@gmail.com |
---|---|
State | Accepted, archived |
Delegated to: | Armin Kuster |
Headers | show |
Series | [meta-oe,dunfell] lua: fix CVE-2022-28805 | expand |
Reminder, please check this patch.
On Sun, May 8, 2022 at 9:40 PM omkar <omkarpatil10.93@gmail.com> wrote: > > From: Steve Sakoman <steve@sakoman.com> I'm not the maintainer for meta-openembedded, but this appears to be a patch that I originally submitted for the lua recipe in oe-core master branch. This recipe was moved to oe-core post dunfell release, so it does make sense to patch the lua version on meta-openembedded. Perhaps this patch wasn't taken because it has at least one issue, see below. > singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup > call, leading to a heap-based buffer over-read that might affect a system that > compiles untrusted Lua code. > > https://nvd.nist.gov/vuln/detail/CVE-2022-28805 > > (From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e) > > Signed-off-by: Sana Kazi <sana.kazi@kpit.com> > Signed-off-by: Steve Sakoman <steve@sakoman.com> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > (cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354) > Signed-off-by: Omkar Patil <omkar.patil@kpit.com> > Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> > --- > .../lua/lua/0001-lua-fix-CVE-2022-28805.patch | 73 +++++++++++++++++++ > .../lua/lua/CVE-2022-28805.patch | 28 +++++++ > meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 + > 3 files changed, 102 insertions(+) > create mode 100644 meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch > create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch > > diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch > new file mode 100644 > index 000000000..606c9ea98 > --- /dev/null > +++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch This seems to be adding a file that is an edited version of my original patch. This seems to have no purpose! > @@ -0,0 +1,73 @@ > +From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001 > +From: Steve Sakoman <steve@sakoman.com> > +Date: Mon, 18 Apr 2022 09:04:08 -1000 > +Subject: [PATCH] lua: fix CVE-2022-28805 > + > +singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup > +call, leading to a heap-based buffer over-read that might affect a system that > +compiles untrusted Lua code. > + > +https://nvd.nist.gov/vuln/detail/CVE-2022-28805 > + > +(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e) > + > +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> > +Signed-off-by: Steve Sakoman <steve@sakoman.com> > +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > +(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354) > +Signed-off-by: Omkar Patil <omkar.patil@kpit.com> > +--- > + .../lua/lua/CVE-2022-28805.patch | 28 +++++++++++++++++++ > + meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 + > + 2 files changed, 29 insertions(+) > + create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch > + > +diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch > +new file mode 100644 > +index 000000000..0a21d1ce7 > +--- /dev/null > ++++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch > +@@ -0,0 +1,28 @@ > ++From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 > ++From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> > ++Date: Tue, 15 Feb 2022 12:28:46 -0300 > ++Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> > ++ > ++CVE: CVE-2022-28805 > ++ > ++Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] > ++ > ++Signed-off-by: Sana Kazi <sana.kazi@kpit.com> > ++Signed-off-by: Steve Sakoman <steve@sakoman.com> > ++--- > ++ src/lparser.c | 1 + > ++ 1 files changed, 1 insertions(+) > ++ > ++diff --git a/src/lparser.c b/src/lparser.c > ++index 3abe3d751..a5cd55257 100644 > ++--- a/src/lparser.c > +++++ b/src/lparser.c > ++@@ -300,6 +300,7 @@ > ++ expdesc key; > ++ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ > ++ lua_assert(var->k != VVOID); /* this one must exist */ > +++ luaK_exp2anyregup(fs, var); /* but could be a constant */ > ++ codestring(ls, &key, varname); /* key is variable name */ > ++ luaK_indexed(fs, var, &key); /* env[varname] */ > ++ } > ++ > +diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb > +index 342ed1b54..0137cc3c5 100644 > +--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb > ++++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb > +@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ > + file://CVE-2020-15888.patch \ > + file://CVE-2020-15945.patch \ > + file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ > ++ file://CVE-2022-28805.patch \ > + " > + > + # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. > +-- > +2.17.1 > + > diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch > new file mode 100644 > index 000000000..0a21d1ce7 > --- /dev/null > +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch > @@ -0,0 +1,28 @@ > +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 > +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> > +Date: Tue, 15 Feb 2022 12:28:46 -0300 > +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> > + > +CVE: CVE-2022-28805 > + > +Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] > + > +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> > +Signed-off-by: Steve Sakoman <steve@sakoman.com> > +--- > + src/lparser.c | 1 + > + 1 files changed, 1 insertions(+) > + > +diff --git a/src/lparser.c b/src/lparser.c > +index 3abe3d751..a5cd55257 100644 > +--- a/src/lparser.c > ++++ b/src/lparser.c > +@@ -300,6 +300,7 @@ > + expdesc key; > + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ > + lua_assert(var->k != VVOID); /* this one must exist */ > ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ > + codestring(ls, &key, varname); /* key is variable name */ > + luaK_indexed(fs, var, &key); /* env[varname] */ > + } > + > diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb > index 342ed1b54..0137cc3c5 100644 > --- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb > +++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb > @@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ > file://CVE-2020-15888.patch \ > file://CVE-2020-15945.patch \ > file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ > + file://CVE-2022-28805.patch \ > " > > # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. > -- > 2.17.1 >
diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch new file mode 100644 index 000000000..606c9ea98 --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch @@ -0,0 +1,73 @@ +From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001 +From: Steve Sakoman <steve@sakoman.com> +Date: Mon, 18 Apr 2022 09:04:08 -1000 +Subject: [PATCH] lua: fix CVE-2022-28805 + +singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup +call, leading to a heap-based buffer over-read that might affect a system that +compiles untrusted Lua code. + +https://nvd.nist.gov/vuln/detail/CVE-2022-28805 + +(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e) + +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354) +Signed-off-by: Omkar Patil <omkar.patil@kpit.com> +--- + .../lua/lua/CVE-2022-28805.patch | 28 +++++++++++++++++++ + meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 + + 2 files changed, 29 insertions(+) + create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch + +diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch +new file mode 100644 +index 000000000..0a21d1ce7 +--- /dev/null ++++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch +@@ -0,0 +1,28 @@ ++From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 ++From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> ++Date: Tue, 15 Feb 2022 12:28:46 -0300 ++Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> ++ ++CVE: CVE-2022-28805 ++ ++Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] ++ ++Signed-off-by: Sana Kazi <sana.kazi@kpit.com> ++Signed-off-by: Steve Sakoman <steve@sakoman.com> ++--- ++ src/lparser.c | 1 + ++ 1 files changed, 1 insertions(+) ++ ++diff --git a/src/lparser.c b/src/lparser.c ++index 3abe3d751..a5cd55257 100644 ++--- a/src/lparser.c +++++ b/src/lparser.c ++@@ -300,6 +300,7 @@ ++ expdesc key; ++ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ ++ lua_assert(var->k != VVOID); /* this one must exist */ +++ luaK_exp2anyregup(fs, var); /* but could be a constant */ ++ codestring(ls, &key, varname); /* key is variable name */ ++ luaK_indexed(fs, var, &key); /* env[varname] */ ++ } ++ +diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +index 342ed1b54..0137cc3c5 100644 +--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb ++++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ + file://CVE-2020-15888.patch \ + file://CVE-2020-15945.patch \ + file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ ++ file://CVE-2022-28805.patch \ + " + + # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch new file mode 100644 index 000000000..0a21d1ce7 --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch @@ -0,0 +1,28 @@ +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> +Date: Tue, 15 Feb 2022 12:28:46 -0300 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> + +CVE: CVE-2022-28805 + +Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] + +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +--- + src/lparser.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/src/lparser.c b/src/lparser.c +index 3abe3d751..a5cd55257 100644 +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -300,6 +300,7 @@ + expdesc key; + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ + lua_assert(var->k != VVOID); /* this one must exist */ ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ + codestring(ls, &key, varname); /* key is variable name */ + luaK_indexed(fs, var, &key); /* env[varname] */ + } + diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb index 342ed1b54..0137cc3c5 100644 --- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb @@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ file://CVE-2020-15888.patch \ file://CVE-2020-15945.patch \ file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ + file://CVE-2022-28805.patch \ " # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.