Fix CVE-2022-33099

(cherry picked from commit a50da9eea321d9795ab0138a1a39f8567a575a26)
2022-07-18 14:31:58 +08:00 · 2022-07-18 14:31:58 +08:00 · 782653b6d2
commit 782653b6d2
parent d5ad35ea00
2 changed files with 68 additions and 1 deletions
--- a/backport-CVE-2022-33099.patch
+++ b/backport-CVE-2022-33099.patch
@ -0,0 +1,62 @@
+From 42d40581dd919fb134c07027ca1ce0844c670daf Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Fri, 20 May 2022 13:14:33 -0300
+Subject: [PATCH] Save stack space while handling errors
+
+Because error handling (luaG_errormsg) uses slots from EXTRA_STACK,
+and some errors can recur (e.g., string overflow while creating an
+error message in 'luaG_runerror', or a C-stack overflow before calling
+the message handler), the code should use stack slots with parsimony.
+
+This commit fixes the bug "Lua-stack overflow when C stack overflows
+while handling an error".
+---
+ src/ldebug.c | 5 ++++-
+ src/lvm.c    | 6 ++++--
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/ldebug.c b/src/ldebug.c
+index 1feaab2..5524fae 100644
+--- a/src/ldebug.c
+++ b/src/ldebug.c
+@@ -783,8 +783,11 @@ l_noret luaG_runerror (lua_State *L, const char *fmt, ...) {
+   va_start(argp, fmt);
+   msg = luaO_pushvfstring(L, fmt, argp);  /* format message */
+   va_end(argp);
+-  if (isLua(ci))  /* if Lua function, add source:line information */
+  if (isLua(ci)) {  /* if Lua function, add source:line information */
+     luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci));
+    setobjs2s(L, L->top - 2, L->top - 1);  /* remove 'msg' from the stack */
+    L->top--;
+  }
+   luaG_errormsg(L);
+ }
+ 
+diff --git a/src/lvm.c b/src/lvm.c
+index c9729bc..a965087 100644
+--- a/src/lvm.c
+++ b/src/lvm.c
+@@ -656,8 +656,10 @@ void luaV_concat (lua_State *L, int total) {
+       /* collect total length and number of strings */
+       for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
+         size_t l = vslen(s2v(top - n - 1));
+-        if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl))
+        if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
+          L->top = top - total;  /* pop strings to avoid wasting stack */
+           luaG_runerror(L, "string length overflow");
+	}
+         tl += l;
+       }
+       if (tl <= LUAI_MAXSHORTLEN) {  /* is result a short string? */
+@@ -672,7 +674,7 @@ void luaV_concat (lua_State *L, int total) {
+       setsvalue2s(L, top - n, ts);  /* create result */
+     }
+     total -= n-1;  /* got 'n' strings to create 1 new */
+-    L->top -= n-1;  /* popped 'n' strings and pushed one */
+    L->top = top - (n - 1);  /* popped 'n' strings and pushed one */
+   } while (total > 1);  /* repeat until only 1 result left */
+ }
+ 
+-- 
+2.33.0
+
--- a/lua.spec
+++ b/lua.spec
@ -6,7 +6,7 @@

 Name:           lua
 Version:        5.4.3
-Release:        6
+Release:        7
 Summary:        A powerful, efficient, lightweight, embeddable scripting language
 License:        MIT
 URL:            http://www.lua.org/
@ -26,6 +26,7 @@ Patch3:         lua-5.3.0-configure-compat-module.patch
 Patch6000:      backport-CVE-2021-43519.patch
 Patch6001:      backport-CVE-2021-44647.patch
 Patch6002:      backport-CVE-2022-28805.patch
+Patch6003:      backport-CVE-2022-33099.patch

 BuildRequires:  automake autoconf libtool readline-devel ncurses-devel

@ -61,6 +62,7 @@ mv src/luaconf.h src/luaconf.h.template.in
 %patch6000 -p1
 %patch6001 -p1
 %patch6002 -p1
+%patch6003 -p1

 # Put proper version in configure.ac, patch0 hardcodes 5.3.0
 sed -i 's|5.3.0|%{version}|g' configure.ac
@ -135,6 +137,9 @@ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} $RPM_BUILD_ROOT/%{_bindir}/lua -e"_U=
 %{_mandir}/man1/lua*.1*

 %changelog
+* Mon Jul 18 2022 renhongxun <renhongxun@h-partners.com> - 5.4.3-7
+- fix CVE-2022-33099
+
 * Fri Apr 15 2022 shixuantong <shixuantong@h-partners.com> - 5.4.3-6
 - fix CVE-2021-44647 CVE-2022-28805