fix CVE-2021-43519

(cherry picked from commit a18003eab791f5428f449d1d1c6f90680cf7a6bb)
2022-04-01 18:21:57 +08:00 · 2022-04-01 18:21:57 +08:00 · 35036dfcc1
commit 35036dfcc1
parent 3c12d99cbd
2 changed files with 70 additions and 1 deletions
--- a/backport-CVE-2021-43519.patch
+++ b/backport-CVE-2021-43519.patch
@ -0,0 +1,65 @@
 From 74d99057a5146755e737c479850f87fd0e3b6868 Mon Sep 17 00:00:00 2001
 From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
 Date: Wed, 3 Nov 2021 15:04:18 -0300
 Subject: [PATCH] Bug: C stack overflow with coroutines
 'coroutine.resume' did not increment counter of C calls when
 continuing execution after a protected error (that is,
 while running 'precover').
 ---
 src/ldo.c             |  6 ++++--
 testes/cstack.lua | 14 ++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)
 diff --git a/src/ldo.c b/src/ldo.c
 index d0edc8b4f..66f890364 100644
 --- a/src/ldo.c
 +++ b/src/ldo.c
@@ -759,11 +759,10 @@ static void resume (lua_State *L, void *ud) {
   StkId firstArg = L->top - n;  /* first argument */
   CallInfo *ci = L->ci;
   if (L->status == LUA_OK)  /* starting a coroutine? */
 -    ccall(L, firstArg - 1, LUA_MULTRET, 1);  /* just call its body */
 +    ccall(L, firstArg - 1, LUA_MULTRET, 0);  /* just call its body */
   else {  /* resuming from previous yield */
     lua_assert(L->status == LUA_YIELD);
     L->status = LUA_OK;  /* mark that it is running (again) */
 -    luaE_incCstack(L);  /* control the C stack */
     if (isLua(ci)) {  /* yielded inside a hook? */
       L->top = firstArg;  /* discard arguments */
       luaV_execute(L, ci);  /* just continue running Lua code */
@@ -814,6 +813,9 @@ LUA_API int lua_resume (lua_State *L, lua_State *from, int nargs,
   else if (L->status != LUA_YIELD)  /* ended with errors? */
     return resume_error(L, "cannot resume dead coroutine", nargs);
   L->nCcalls = (from) ? getCcalls(from) : 0;
 +  if (getCcalls(L) >= LUAI_MAXCCALLS)
 +    return resume_error(L, "C stack overflow", nargs);
 +  L->nCcalls++;
   luai_userstateresume(L, nargs);
   api_checknelems(L, (L->status == LUA_OK) ? nargs + 1 : nargs);
   status = luaD_rawrunprotected(L, resume, &nargs);
 diff --git a/testes/cstack.lua b/testes/cstack.lua
 index 213d15d47..ca76c8729 100644
 --- a/testes/cstack.lua
 +++ b/testes/cstack.lua
@@ -103,6 +103,20 @@ do
 end
 +do    -- bug in 5.4.2
 +  print("nesting coroutines running after recoverable errors")
 +  local count = 0
 +  local function foo()
 +    count = count + 1
 +    pcall(1)   -- create an error
 +    -- running now inside 'precover' ("protected recover")
 +    coroutine.wrap(foo)()   -- call another coroutine
 +  end
 +  checkerror("C stack overflow", foo)
 +  print("final count: ", count)
 +end
 +
 +
 if T then
   print("testing stack recovery")
   local N = 0      -- trace number of calls
--- a/lua.spec
+++ b/lua.spec
@ -6,7 +6,7 @@
 Name:           lua
 Version:        5.4.3
-Release:        3
+Release:        4
 Summary:        A powerful, efficient, lightweight, embeddable scripting language
 License:        MIT
 URL:            http://www.lua.org/
@ -23,6 +23,7 @@ Patch0:         lua-5.4.0-beta-autotoolize.patch
 Patch1:         lua-5.3.0-idsize.patch
 Patch2:         lua-5.2.2-configure-linux.patch
 Patch3:         lua-5.3.0-configure-compat-module.patch
 Patch6000:      backport-CVE-2021-43519.patch
 BuildRequires:  automake autoconf libtool readline-devel ncurses-devel
@ -128,6 +129,9 @@ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} $RPM_BUILD_ROOT/%{_bindir}/lua -e"_U=
 %{_mandir}/man1/lua*.1*
 %changelog
 * Fri Apr 01 2022 shixuantong <shixuantong@h-partners.com> - 5.4.3-4
 - fix CVE-2021-43519
 * Thu Jan 13 2022 shixuantong <shixuantong@huawei.com> - 5.4.3-3
 - delete liblua-5.3.so file