rpms / lua

Clone
Source Code
GIT

Files

  1.   4b399374b62b9349c6226611f2c556c6d4adf3bf
  2.   lua-5.4.0-CVE-2020-15945.patch
Blob Blame History Raw 
diff -up lua-5.4.0/lua-5.3.5/src/ldebug.c.CVE-2020-15945 lua-5.4.0/lua-5.3.5/src/ldebug.c
diff -up lua-5.4.0/src/ldebug.c.CVE-2020-15945 lua-5.4.0/src/ldebug.c
--- lua-5.4.0/src/ldebug.c.CVE-2020-15945	2020-07-31 09:58:23.504997354 -0400
+++ lua-5.4.0/src/ldebug.c	2020-07-31 10:04:19.745448815 -0400
@@ -33,10 +33,8 @@
 
 #define noLuaClosure(f)		((f) == NULL || (f)->c.tt == LUA_VCCL)
 
-
-/* Active Lua function (given call info) */
-#define ci_func(ci)		(clLvalue(s2v((ci)->func)))
-
+/* inverse of 'pcRel' */
+#define invpcRel(pc, p)		((p)->code + (pc) + 1)
 
 static const char *funcnamefromcode (lua_State *L, CallInfo *ci,
                                     const char **name);
@@ -127,20 +125,18 @@ static void settraps (CallInfo *ci) {
 /*
 ** This function can be called during a signal, under "reasonable"
 ** assumptions.
-** Fields 'oldpc', 'basehookcount', and 'hookcount' (set by
-** 'resethookcount') are for debug only, and it is no problem if they
-** get arbitrary values (causes at most one wrong hook call). 'hookmask'
-** is an atomic value. We assume that pointers are atomic too (e.g., gcc
-** ensures that for all platforms where it runs). Moreover, 'hook' is
-** always checked before being called (see 'luaD_hook').
+** Fields 'basehookcount' and 'hookcount' (set by 'resethookcount')
+** are for debug only, and it is no problem if they get arbitrary
+** values (causes at most one wrong hook call). 'hookmask' is an atomic
+** value. We assume that pointers are atomic too (e.g., gcc ensures that
+** for all platforms where it runs). Moreover, 'hook' is always checked
+** before being called (see 'luaD_hook').
 */
 LUA_API void lua_sethook (lua_State *L, lua_Hook func, int mask, int count) {
   if (func == NULL || mask == 0) {  /* turn off hooks? */
     mask = 0;
     func = NULL;
   }
-  if (isLua(L->ci))
-    L->oldpc = L->ci->u.l.savedpc;
   L->hook = func;
   L->basehookcount = count;
   resethookcount(L);
@@ -794,11 +790,24 @@ static int changedline (const Proto *p,
   return 0;  /* no line changes in the way */
 }
 
-
+/*
+** Traces the execution of a Lua function. Called before the execution
+** of each opcode, when debug is on. 'L->oldpc' stores the last
+** instruction traced, to detect line changes. When entering a new
+** function, 'npci' will be zero and will test as a new line without
+** the need for 'oldpc'; so, 'oldpc' does not need to be initialized
+** before. Some exceptional conditions may return to a function without
+** updating 'oldpc'. In that case, 'oldpc' may be invalid; if so, it is
+** reset to zero.  (A wrong but valid 'oldpc' at most causes an extra
+** call to a line hook.)
+*/
 int luaG_traceexec (lua_State *L, const Instruction *pc) {
   CallInfo *ci = L->ci;
   lu_byte mask = L->hookmask;
+  const Proto *p = ci_func(ci)->p;
   int counthook;
+  /* 'L->oldpc' may be invalid; reset it in this case */
+  int oldpc = (L->oldpc < p->sizecode) ? L->oldpc : 0;
   if (!(mask & (LUA_MASKLINE | LUA_MASKCOUNT))) {  /* no hooks? */
     ci->u.l.trap = 0;  /* don't need to stop again */
     return 0;  /* turn off 'trap' */
@@ -819,15 +828,14 @@ int luaG_traceexec (lua_State *L, const
   if (counthook)
     luaD_hook(L, LUA_HOOKCOUNT, -1, 0, 0);  /* call count hook */
   if (mask & LUA_MASKLINE) {
-    const Proto *p = ci_func(ci)->p;
     int npci = pcRel(pc, p);
     if (npci == 0 ||  /* call linehook when enter a new function, */
-        pc <= L->oldpc ||  /* when jump back (loop), or when */
-        changedline(p, pcRel(L->oldpc, p), npci)) {  /* enter new line */
+        pc <= invpcRel(oldpc, p) ||  /* when jump back (loop), or when */
+        changedline(p, oldpc, npci)) {  /* enter new line */
       int newline = luaG_getfuncline(p, npci);
       luaD_hook(L, LUA_HOOKLINE, newline, 0, 0);  /* call line hook */
     }
-    L->oldpc = pc;  /* 'pc' of last call to line hook */
+    L->oldpc = npci;  /* 'pc' of last call to line hook */
   }
   if (L->status == LUA_YIELD) {  /* did hook yield? */
     if (counthook)
diff -up lua-5.4.0/src/ldebug.h.CVE-2020-15945 lua-5.4.0/src/ldebug.h
--- lua-5.4.0/src/ldebug.h.CVE-2020-15945	2020-07-31 10:04:30.727969467 -0400
+++ lua-5.4.0/src/ldebug.h	2020-07-31 10:05:07.064383528 -0400
@@ -13,6 +13,11 @@
 
 #define pcRel(pc, p)	(cast_int((pc) - (p)->code) - 1)
 
+
+/* Active Lua function (given call info) */
+#define ci_func(ci)		(clLvalue(s2v((ci)->func)))
+
+
 #define resethookcount(L)	(L->hookcount = L->basehookcount)
 
 /*
diff -up lua-5.4.0/src/ldo.c.CVE-2020-15945 lua-5.4.0/src/ldo.c
--- lua-5.4.0/src/ldo.c.CVE-2020-15945	2020-07-31 10:05:32.374278847 -0400
+++ lua-5.4.0/src/ldo.c	2020-07-31 10:06:43.643168227 -0400
@@ -328,7 +328,7 @@ static StkId rethook (lua_State *L, Call
   ptrdiff_t oldtop = savestack(L, L->top);  /* hook may change top */
   int delta = 0;
   if (isLuacode(ci)) {
-    Proto *p = clLvalue(s2v(ci->func))->p;
+    Proto *p = ci_func(ci)->p;
     if (p->is_vararg)
       delta = ci->u.l.nextraargs + p->numparams + 1;
     if (L->top < ci->top)
@@ -341,8 +341,8 @@ static StkId rethook (lua_State *L, Call
     luaD_hook(L, LUA_HOOKRET, -1, ftransfer, nres);  /* call it */
     ci->func -= delta;
   }
-  if (isLua(ci->previous))
-    L->oldpc = ci->previous->u.l.savedpc;  /* update 'oldpc' */
+  if (isLua(ci = ci->previous))
+    L->oldpc = pcRel(ci->u.l.savedpc, ci_func(ci)->p);  /* update 'oldpc' */
   return restorestack(L, oldtop);
 }
 
diff -up lua-5.4.0/src/lstate.c.CVE-2020-15945 lua-5.4.0/src/lstate.c
--- lua-5.4.0/src/lstate.c.CVE-2020-15945	2020-07-31 10:06:52.754770540 -0400
+++ lua-5.4.0/src/lstate.c	2020-07-31 10:07:22.512471730 -0400
@@ -301,6 +301,7 @@ static void preinit_thread (lua_State *L
   L->openupval = NULL;
   L->status = LUA_OK;
   L->errfunc = 0;
+  L->oldpc = 0;
 }
 
 
diff -up lua-5.4.0/src/lstate.h.CVE-2020-15945 lua-5.4.0/src/lstate.h
--- lua-5.4.0/src/lstate.h.CVE-2020-15945	2020-07-31 10:07:30.784110703 -0400
+++ lua-5.4.0/src/lstate.h	2020-07-31 10:08:15.957139065 -0400
@@ -286,7 +286,6 @@ struct lua_State {
   StkId top;  /* first free slot in the stack */
   global_State *l_G;
   CallInfo *ci;  /* call info for current function */
-  const Instruction *oldpc;  /* last pc traced */
   StkId stack_last;  /* last free slot in the stack */
   StkId stack;  /* stack base */
   UpVal *openupval;  /* list of open upvalues in this stack */
@@ -297,6 +296,7 @@ struct lua_State {
   volatile lua_Hook hook;
   ptrdiff_t errfunc;  /* current error handling function (stack index) */
   l_uint32 nCcalls;  /* number of allowed nested C calls - 'nci' */
+  int oldpc;  /* last pc traced */
   int stacksize;
   int basehookcount;
   int hookcount;
diff -up lua-5.4.0/src/lvm.c.CVE-2020-15945 lua-5.4.0/src/lvm.c
--- lua-5.4.0/src/lvm.c.CVE-2020-15945	2020-07-31 10:08:32.014438227 -0400
+++ lua-5.4.0/src/lvm.c	2020-07-31 10:08:57.189339437 -0400
@@ -1796,7 +1796,7 @@ void luaV_execute (lua_State *L, CallInf
         updatetrap(ci);
         if (trap) {
           luaD_hookcall(L, ci);
-          L->oldpc = pc + 1;  /* next opcode will be seen as a "new" line */
+          L->oldpc = 1;  /* next opcode will be seen as a "new" line */
         }
         updatebase(ci);  /* function has new base after adjustment */
         vmbreak;
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.