lua: fix CVE-2022-28805

singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code. https://nvd.nist.gov/vuln/detail/CVE-2022-28805 (From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e) Signed-off-by: Sana Kazi <sana.kazi@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354) Signed-off-by: Omkar Patil <omkar.patil@kpit.com> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Steve Sakoman <steve@sakoman.com> 2022-05-09 13:10:09 +0530
committer: Armin Kuster <akuster808@gmail.com> 2022-05-25 19:34:39 -0700
commit: abd7cf838d51900ad445a26e501baeb51b4ef1e8 (patch)
tree: 8d701103394fc1038c56b1d28973bff0a59be752
parent: a8d82c80a11b90805b992e1963108af8b3a257ca (diff)
download: meta-openembedded-abd7cf838d51900ad445a26e501baeb51b4ef1e8.tar.gz
3 files changed, 102 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
new file mode 100644
index 0000000000..606c9ea98c
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
@@ -0,0 +1,73 @@
+From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001
+From: Steve Sakoman <steve@sakoman.com>
+Date: Mon, 18 Apr 2022 09:04:08 -1000
+Subject: [PATCH] lua: fix CVE-2022-28805
+singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
+call, leading to a heap-based buffer over-read that might affect a system that
+compiles untrusted Lua code.
+https://nvd.nist.gov/vuln/detail/CVE-2022-28805
+(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
+Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354)
+Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
+---
+ .../lua/lua/CVE-2022-28805.patch              | 28 +++++++++++++++++++
+ meta-oe/recipes-devtools/lua/lua_5.3.6.bb     |  1 +
+ 2 files changed, 29 insertions(+)
+ create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+new file mode 100644
+index 000000000..0a21d1ce7
+--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
+@@ -0,0 +1,28 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+CVE: CVE-2022-28805
+
+Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
+
+Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ src/lparser.c         |  1 +
+ 1 files changed, 1 insertions(+)
+
+diff --git a/src/lparser.c b/src/lparser.c
+index 3abe3d751..a5cd55257 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -300,6 +300,7 @@
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
++    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(ls, &key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
+
+diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+index 342ed1b54..0137cc3c5 100644
+--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
+            file://CVE-2020-15888.patch \
+            file://CVE-2020-15945.patch \
+            file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
+           file://CVE-2022-28805.patch \
+            "
+ 
+ # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
+-- 
+2.17.1
diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
new file mode 100644
index 0000000000..0a21d1ce77
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
@@ -0,0 +1,28 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+CVE: CVE-2022-28805
+Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
+Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ src/lparser.c         |  1 +
+ 1 files changed, 1 insertions(+)
+diff --git a/src/lparser.c b/src/lparser.c
+index 3abe3d751..a5cd55257 100644
+--- a/src/lparser.c
+++ b/src/lparser.c
+@@ -300,6 +300,7 @@
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
+    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(ls, &key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
index 342ed1b547..0137cc3c5b 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
           file://CVE-2020-15888.patch \
           file://CVE-2020-15945.patch \
           file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
+           file://CVE-2022-28805.patch \
           "
 # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
author	Steve Sakoman <steve@sakoman.com>	2022-05-09 13:10:09 +0530
committer	Armin Kuster <akuster808@gmail.com>	2022-05-25 19:34:39 -0700
commit	abd7cf838d51900ad445a26e501baeb51b4ef1e8 (patch)
tree	8d701103394fc1038c56b1d28973bff0a59be752
parent	a8d82c80a11b90805b992e1963108af8b3a257ca (diff)
download	meta-openembedded-abd7cf838d51900ad445a26e501baeb51b4ef1e8.tar.gz

diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch new file mode 100644 index 0000000000..606c9ea98c --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch
@@ -0,0 +1,73 @@
		1	From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001
		2	From: Steve Sakoman <steve@sakoman.com>
		3	Date: Mon, 18 Apr 2022 09:04:08 -1000
		4	Subject: [PATCH] lua: fix CVE-2022-28805
		5
		6	singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
		7	call, leading to a heap-based buffer over-read that might affect a system that
		8	compiles untrusted Lua code.
		9
		10	https://nvd.nist.gov/vuln/detail/CVE-2022-28805
		11
		12	(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
		13
		14	Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
		15	Signed-off-by: Steve Sakoman <steve@sakoman.com>
		16	Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
		17	(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354)
		18	Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
		19	---
		20	.../lua/lua/CVE-2022-28805.patch \| 28 +++++++++++++++++++
		21	meta-oe/recipes-devtools/lua/lua_5.3.6.bb \| 1 +
		22	2 files changed, 29 insertions(+)
		23	create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
		24
		25	diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
		26	new file mode 100644
		27	index 000000000..0a21d1ce7
		28	--- /dev/null
		29	+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
		30	@@ -0,0 +1,28 @@
		31	+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
		32	+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
		33	+Date: Tue, 15 Feb 2022 12:28:46 -0300
		34	+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
		35	+
		36	+CVE: CVE-2022-28805
		37	+
		38	+Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
		39	+
		40	+Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
		41	+Signed-off-by: Steve Sakoman <steve@sakoman.com>
		42	+---
		43	+ src/lparser.c \| 1 +
		44	+ 1 files changed, 1 insertions(+)
		45	+
		46	+diff --git a/src/lparser.c b/src/lparser.c
		47	+index 3abe3d751..a5cd55257 100644
		48	+--- a/src/lparser.c
		49	++++ b/src/lparser.c
		50	+@@ -300,6 +300,7 @@
		51	+ expdesc key;
		52	+ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
		53	+ lua_assert(var->k != VVOID); /* this one must exist */
		54	++ luaK_exp2anyregup(fs, var); /* but could be a constant */
		55	+ codestring(ls, &key, varname); /* key is variable name */
		56	+ luaK_indexed(fs, var, &key); /* env[varname] */
		57	+ }
		58	+
		59	diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
		60	index 342ed1b54..0137cc3c5 100644
		61	--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
		62	+++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
		63	@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
		64	file://CVE-2020-15888.patch \
		65	file://CVE-2020-15945.patch \
		66	file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
		67	+ file://CVE-2022-28805.patch \
		68	"
		69
		70	# if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
		71	--
		72	2.17.1
		73


diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch new file mode 100644 index 0000000000..0a21d1ce77 --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch
@@ -0,0 +1,28 @@
		1	From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
		2	From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
		3	Date: Tue, 15 Feb 2022 12:28:46 -0300
		4	Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
		5
		6	CVE: CVE-2022-28805
		7
		8	Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa]
		9
		10	Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
		11	Signed-off-by: Steve Sakoman <steve@sakoman.com>
		12	---
		13	src/lparser.c \| 1 +
		14	1 files changed, 1 insertions(+)
		15
		16	diff --git a/src/lparser.c b/src/lparser.c
		17	index 3abe3d751..a5cd55257 100644
		18	--- a/src/lparser.c
		19	+++ b/src/lparser.c
		20	@@ -300,6 +300,7 @@
		21	expdesc key;
		22	singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
		23	lua_assert(var->k != VVOID); /* this one must exist */
		24	+ luaK_exp2anyregup(fs, var); /* but could be a constant */
		25	codestring(ls, &key, varname); /* key is variable name */
		26	luaK_indexed(fs, var, &key); /* env[varname] */
		27	}
		28


diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb index 342ed1b547..0137cc3c5b 100644 --- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
10	file://CVE-2020-15888.patch \	10	file://CVE-2020-15888.patch \
11	file://CVE-2020-15945.patch \	11	file://CVE-2020-15945.patch \
12	file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \	12	file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \
		13	file://CVE-2022-28805.patch \
13	"	14	"
14		15
15	# if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.	16	# if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.