From 5d9eef2f7ff68fe2ff11f2a37508e6227a97c1f0 Mon Sep 17 00:00:00 2001 From: fly_fzc <2385803914@qq.com> Date: Fri, 15 Jul 2022 14:43:15 +0800 Subject: [PATCH] Fix CVE-2020-24240 --- backport-CVE-2020-24240.patch | 157 +++++++ ...-FOO-to-FOO-for-function-like-macros.patch | 396 ++++++++++++++++++ bison.spec | 11 +- 3 files changed, 563 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2020-24240.patch create mode 100644 backport-style-prefer-FOO-to-FOO-for-function-like-macros.patch diff --git a/backport-CVE-2020-24240.patch b/backport-CVE-2020-24240.patch new file mode 100644 index 0000000..b42cef2 --- /dev/null +++ b/backport-CVE-2020-24240.patch @@ -0,0 +1,157 @@ +From be95a4fe2951374676efc9454ffee8638faaf68d Mon Sep 17 00:00:00 2001 +From: Akim Demaille +Date: Tue, 28 Jul 2020 18:51:30 +0200 +Subject: [PATCH] scanner: don't crash on strings containing a NUL byte + +We crash if the input contains a string containing a NUL byte. +Reported by Suhwan Song. +https://lists.gnu.org/r/bug-bison/2020-07/msg00051.html + +* src/flex-scanner.h (STRING_FREE): Avoid accidental use of +last_string. +* src/scan-gram.l: Don't call STRING_FREE without calling +STRING_FINISH first. +* tests/input.at (Invalid inputs): Check that case. +--- + THANKS | 1 + + src/flex-scanner.h | 10 +++++++++- + src/scan-gram.l | 3 ++- + tests/input.at | 48 ++++++++++++++++++++++++++++++++++++---------- + 4 files changed, 50 insertions(+), 12 deletions(-) + +diff --git a/THANKS b/THANKS +index ac073ea67..5c64da3c0 100644 +--- a/THANKS ++++ b/THANKS +@@ -185,6 +185,7 @@ Simon Sobisch simonsobisch@web.de + Stefano Lattarini stefano.lattarini@gmail.com + Stephen Cameron stephenmcameron@gmail.com + Steve Murphy murf@parsetree.com ++Suhwan Song prada960808@gmail.com + Sum Wu sum@geekhouse.org + Théophile Ranquet theophile.ranquet@gmail.com + Thiru Ramakrishnan thiru.ramakrishnan@gmail.com +diff --git a/src/flex-scanner.h b/src/flex-scanner.h +index 56ca7ce32..028847fda 100644 +--- a/src/flex-scanner.h ++++ b/src/flex-scanner.h +@@ -112,7 +112,15 @@ static struct obstack obstack_for_string; + # define STRING_FINISH() \ + (last_string = obstack_finish0 (&obstack_for_string)) + +-# define STRING_FREE() \ ++# ifdef NDEBUG ++# define STRING_FREE() \ + obstack_free (&obstack_for_string, last_string) ++# else ++# define STRING_FREE() \ ++ do { \ ++ obstack_free (&obstack_for_string, last_string); \ ++ last_string = NULL; \ ++ } while (0) ++#endif + + #endif +diff --git a/src/scan-gram.l b/src/scan-gram.l +index f8d85f23f..ad2904ce8 100644 +--- a/src/scan-gram.l ++++ b/src/scan-gram.l +@@ -403,6 +403,7 @@ eqopt ({sp}=)? + { + \0 { + complain (loc, complaint, _("invalid null character")); ++ STRING_FINISH (); + STRING_FREE (); + return GRAM_error; + } +@@ -599,7 +600,6 @@ eqopt ({sp}=)? + STRING_FINISH (); + BEGIN INITIAL; + loc->start = token_start; +- val->CHAR = last_string[0]; + + if (last_string[0] == '\0') + { +@@ -615,6 +615,7 @@ eqopt ({sp}=)? + } + else + { ++ val->CHAR = last_string[0]; + STRING_FREE (); + return CHAR; + } +diff --git a/tests/input.at b/tests/input.at +index 4da637955..effcd1cc9 100644 +--- a/tests/input.at ++++ b/tests/input.at +@@ -1,4 +1,4 @@ +-# Checking the Bison scanner. -*- Autotest -*- ++# Checking the Bison reader. -*- Autotest -*- + + # Copyright (C) 2002-2015, 2018-2020 Free Software Foundation, Inc. + +@@ -78,10 +78,13 @@ AT_CLEANUP + ## Invalid inputs. ## + ## ---------------- ## + ++# The truly bad guys no human would write, but easily uncovered by ++# fuzzers. + AT_SETUP([Invalid inputs]) + + AT_DATA([input.y], + [[\000\001\002\377? ++"\000" + %% + ? + default: 'a' } +@@ -92,16 +95,41 @@ default: 'a' } + ]]) + AT_PERL_REQUIRE([[-pi -e 's/\\(\d{3})/chr(oct($1))/ge' input.y]]) + +-AT_BISON_CHECK([input.y], [1], [], ++AT_BISON_CHECK([-fcaret input.y], [1], [], [stderr]) ++ ++# Autotest's diffing, when there are NUL bytes, just reports "binary ++# files differ". So don't leave NUL bytes. ++AT_PERL_CHECK([[-p -e 's{([\0\377])}{sprintf "\\x%02x", ord($1)}ge' stderr]], [], + [[input.y:1.1-2: error: invalid characters: '\0\001\002\377?' +-input.y:3.1: error: invalid character: '?' +-input.y:4.14: error: invalid character: '}' +-input.y:5.1: error: invalid character: '%' +-input.y:5.2: error: invalid character: '&' +-input.y:6.1-17: error: invalid directive: '%a-does-not-exist' +-input.y:7.1: error: invalid character: '%' +-input.y:7.2: error: invalid character: '-' +-input.y:8.1-9.0: error: missing '%}' at end of file ++ 1 | \x00\xff? ++ | ^~ ++input.y:2.2: error: invalid null character ++ 2 | "\x00" ++ | ^ ++input.y:4.1: error: invalid character: '?' ++ 4 | ? ++ | ^ ++input.y:5.14: error: invalid character: '}' ++ 5 | default: 'a' } ++ | ^ ++input.y:6.1: error: invalid character: '%' ++ 6 | %& ++ | ^ ++input.y:6.2: error: invalid character: '&' ++ 6 | %& ++ | ^ ++input.y:7.1-17: error: invalid directive: '%a-does-not-exist' ++ 7 | %a-does-not-exist ++ | ^~~~~~~~~~~~~~~~~ ++input.y:8.1: error: invalid character: '%' ++ 8 | %- ++ | ^ ++input.y:8.2: error: invalid character: '-' ++ 8 | %- ++ | ^ ++input.y:9.1-10.0: error: missing '%}' at end of file ++ 9 | %{ ++ | ^~ + ]]) + + AT_CLEANUP diff --git a/backport-style-prefer-FOO-to-FOO-for-function-like-macros.patch b/backport-style-prefer-FOO-to-FOO-for-function-like-macros.patch new file mode 100644 index 0000000..fe57f8f --- /dev/null +++ b/backport-style-prefer-FOO-to-FOO-for-function-like-macros.patch @@ -0,0 +1,396 @@ +From c857ed4f72b83c561bfd42e5ff6c129ddb2017ee Mon Sep 17 00:00:00 2001 +From: Akim Demaille +Date: Sat, 13 Jun 2020 08:11:22 +0200 +Subject: [PATCH] style: prefer 'FOO ()' to 'FOO' for function-like macros + +* src/flex-scanner.h (STRING_GROW, STRING_FINISH, STRING_FREE): +Make them function-like macros. +Adjust dependencies. +--- + src/flex-scanner.h | 14 +++++----- + src/scan-code.l | 26 +++++++++---------- + src/scan-gram.l | 64 +++++++++++++++++++++++----------------------- + src/scan-skel.l | 2 +- + tests/input.at | 4 +-- + 5 files changed, 55 insertions(+), 55 deletions(-) + +diff --git a/src/flex-scanner.h b/src/flex-scanner.h +index 6f6861741..f0f3ae172 100644 +--- a/src/flex-scanner.h ++++ b/src/flex-scanner.h +@@ -94,22 +94,22 @@ int FLEX_PREFIX (lex_destroy) (void); + keep (to construct ID, STRINGS etc.). Use the following macros to + use it. + +- Use STRING_GROW to append what has just been matched, and +- STRING_FINISH to end the string (it puts the ending 0). +- STRING_FINISH also stores this string in LAST_STRING, which can be +- used, and which is used by STRING_FREE to free the last string. */ ++ Use STRING_GROW () to append what has just been matched, and ++ STRING_FINISH () to end the string (it puts the ending 0). ++ STRING_FINISH () also stores this string in LAST_STRING, which can be ++ used, and which is used by STRING_FREE () to free the last string. */ + + #ifndef FLEX_NO_OBSTACK + + static struct obstack obstack_for_string; + +-# define STRING_GROW \ ++# define STRING_GROW() \ + obstack_grow (&obstack_for_string, yytext, yyleng) + +-# define STRING_FINISH \ ++# define STRING_FINISH() \ + (last_string = obstack_finish0 (&obstack_for_string)) + +-# define STRING_FREE \ ++# define STRING_FREE() \ + obstack_free (&obstack_for_string, last_string) + + #endif +diff --git a/src/scan-code.l b/src/scan-code.l +index 1aaecd4ea..86f877495 100644 +--- a/src/scan-code.l ++++ b/src/scan-code.l +@@ -112,7 +112,7 @@ ref -?[0-9]+|{id}|"["{id}"]"|"$" + + + { +- "*"{splice}"/" STRING_GROW; BEGIN sc_context; ++ "*"{splice}"/" STRING_GROW (); BEGIN sc_context; + } + + +@@ -122,8 +122,8 @@ ref -?[0-9]+|{id}|"["{id}"]"|"$" + + + { +- "\n" STRING_GROW; BEGIN sc_context; +- {splice} STRING_GROW; ++ "\n" STRING_GROW (); BEGIN sc_context; ++ {splice} STRING_GROW (); + } + + +@@ -133,26 +133,26 @@ ref -?[0-9]+|{id}|"["{id}"]"|"$" + + + { +- {splice}|\\{splice}. STRING_GROW; ++ {splice}|\\{splice}. STRING_GROW (); + } + + + { +- "'" STRING_GROW; BEGIN sc_context; ++ "'" STRING_GROW (); BEGIN sc_context; + } + + + { +- "\"" STRING_GROW; BEGIN sc_context; ++ "\"" STRING_GROW (); BEGIN sc_context; + } + + + + { +- "'" STRING_GROW; BEGIN SC_CHARACTER; +- "\"" STRING_GROW; BEGIN SC_STRING; +- "/"{splice}"*" STRING_GROW; BEGIN SC_COMMENT; +- "/"{splice}"/" STRING_GROW; BEGIN SC_LINE_COMMENT; ++ "'" STRING_GROW (); BEGIN SC_CHARACTER; ++ "\"" STRING_GROW (); BEGIN SC_STRING; ++ "/"{splice}"*" STRING_GROW (); BEGIN SC_COMMENT; ++ "/"{splice}"/" STRING_GROW (); BEGIN SC_LINE_COMMENT; + + [$@] { + complain (loc, Wother, _("stray '%s'"), yytext); +@@ -199,10 +199,10 @@ ref -?[0-9]+|{id}|"["{id}"]"|"$" + [$@\[\]] obstack_escape (&obstack_for_string, yytext); + + /* By default, grow the string obstack with the input. */ +- .|\n STRING_GROW; ++ .|\n STRING_GROW (); + + /* End of processing. */ +- <> STRING_FINISH; return last_string; ++ <> STRING_FINISH (); return last_string; + } + + %% +@@ -835,7 +835,7 @@ code_props_translate_code (code_props *self) + void + code_scanner_last_string_free (void) + { +- STRING_FREE; ++ STRING_FREE (); + } + + void +diff --git a/src/scan-gram.l b/src/scan-gram.l +index e3d96f242..1bbcfd7d6 100644 +--- a/src/scan-gram.l ++++ b/src/scan-gram.l +@@ -115,7 +115,7 @@ static int bracketed_id_context_state = 0; + void + gram_scanner_last_string_free (void) + { +- STRING_FREE; ++ STRING_FREE (); + } + + static void handle_syncline (char *, location); +@@ -344,7 +344,7 @@ eqopt ({sp}=)? + + /* Code in between braces. */ + "{" { +- STRING_GROW; ++ STRING_GROW (); + nesting = 0; + code_start = loc->start; + BEGIN SC_BRACED_CODE; +@@ -403,7 +403,7 @@ eqopt ({sp}=)? + { + \0 { + complain (loc, complaint, _("invalid null character")); +- STRING_FREE; ++ STRING_FREE (); + return GRAM_error; + } + } +@@ -533,7 +533,7 @@ eqopt ({sp}=)? + + + { +- "*"{splice}"/" STRING_GROW; BEGIN context_state; ++ "*"{splice}"/" STRING_GROW (); BEGIN context_state; + <> unexpected_eof (token_start, "*/"); BEGIN context_state; + } + +@@ -544,8 +544,8 @@ eqopt ({sp}=)? + + + { +- {eol} STRING_GROW; BEGIN context_state; +- {splice} STRING_GROW; ++ {eol} STRING_GROW (); BEGIN context_state; ++ {splice} STRING_GROW (); + <> BEGIN context_state; + } + +@@ -558,7 +558,7 @@ eqopt ({sp}=)? + + { + "\"" { +- STRING_FINISH; ++ STRING_FINISH (); + BEGIN INITIAL; + loc->start = token_start; + complain (loc, Wyacc, +@@ -572,7 +572,7 @@ eqopt ({sp}=)? + + { + "\")" { +- STRING_FINISH; ++ STRING_FINISH (); + BEGIN INITIAL; + loc->start = token_start; + complain (loc, Wyacc, +@@ -591,7 +591,7 @@ eqopt ({sp}=)? + + { + "'" { +- STRING_FINISH; ++ STRING_FINISH (); + BEGIN INITIAL; + loc->start = token_start; + val->CHAR = last_string[0]; +@@ -599,18 +599,18 @@ eqopt ({sp}=)? + if (last_string[0] == '\0') + { + complain (loc, complaint, _("empty character literal")); +- STRING_FREE; ++ STRING_FREE (); + return GRAM_error; + } + else if (last_string[1] != '\0') + { + complain (loc, complaint, _("extra characters in character literal")); +- STRING_FREE; ++ STRING_FREE (); + return GRAM_error; + } + else + { +- STRING_FREE; ++ STRING_FREE (); + return CHAR; + } + } +@@ -630,18 +630,18 @@ eqopt ({sp}=)? + --nesting; + if (nesting < 0) + { +- STRING_FINISH; ++ STRING_FINISH (); + loc->start = token_start; + val->TAG = uniqstr_new (last_string); +- STRING_FREE; ++ STRING_FREE (); + BEGIN INITIAL; + return TAG; + } +- STRING_GROW; ++ STRING_GROW (); + } + +- ([^<>]|->)+ STRING_GROW; +- "<"+ STRING_GROW; nesting += yyleng; ++ ([^<>]|->)+ STRING_GROW (); ++ "<"+ STRING_GROW (); nesting += yyleng; + + <> unexpected_eof (token_start, ">"); + } +@@ -696,19 +696,19 @@ eqopt ({sp}=)? + + + { +- {splice}|\\{splice}[^\n\[\]] STRING_GROW; ++ {splice}|\\{splice}[^\n\[\]] STRING_GROW (); + } + + + { +- "'" STRING_GROW; BEGIN context_state; ++ "'" STRING_GROW (); BEGIN context_state; + {eol} unexpected_newline (token_start, "'"); + <> unexpected_eof (token_start, "'"); + } + + + { +- "\"" STRING_GROW; BEGIN context_state; ++ "\"" STRING_GROW (); BEGIN context_state; + {eol} unexpected_newline (token_start, "\""); + <> unexpected_eof (token_start, "\""); + } +@@ -721,25 +721,25 @@ eqopt ({sp}=)? + + { + "'" { +- STRING_GROW; ++ STRING_GROW (); + context_state = YY_START; + token_start = loc->start; + BEGIN SC_CHARACTER; + } + "\"" { +- STRING_GROW; ++ STRING_GROW (); + context_state = YY_START; + token_start = loc->start; + BEGIN SC_STRING; + } + "/"{splice}"*" { +- STRING_GROW; ++ STRING_GROW (); + context_state = YY_START; + token_start = loc->start; + BEGIN SC_COMMENT; + } + "/"{splice}"/" { +- STRING_GROW; ++ STRING_GROW (); + context_state = YY_START; + BEGIN SC_LINE_COMMENT; + } +@@ -754,12 +754,12 @@ eqopt ({sp}=)? + + + { +- "{"|"<"{splice}"%" STRING_GROW; nesting++; +- "%"{splice}">" STRING_GROW; nesting--; ++ "{"|"<"{splice}"%" STRING_GROW (); nesting++; ++ "%"{splice}">" STRING_GROW (); nesting--; + + /* Tokenize '<<%' correctly (as '<<' '%') rather than incorrectly + (as '<' '<%'). */ +- "<"{splice}"<" STRING_GROW; ++ "<"{splice}"<" STRING_GROW (); + + <> unexpected_eof (code_start, "}"); + } +@@ -772,7 +772,7 @@ eqopt ({sp}=)? + --nesting; + if (nesting < 0) + { +- STRING_FINISH; ++ STRING_FINISH (); + loc->start = code_start; + BEGIN INITIAL; + RETURN_VALUE (BRACED_CODE, last_string); +@@ -786,7 +786,7 @@ eqopt ({sp}=)? + --nesting; + if (nesting < 0) + { +- STRING_FINISH; ++ STRING_FINISH (); + loc->start = code_start; + BEGIN INITIAL; + RETURN_VALUE (BRACED_PREDICATE, last_string); +@@ -803,7 +803,7 @@ eqopt ({sp}=)? + + { + "%}" { +- STRING_FINISH; ++ STRING_FINISH (); + loc->start = code_start; + BEGIN INITIAL; + RETURN_VALUE (PROLOGUE, last_string); +@@ -821,7 +821,7 @@ eqopt ({sp}=)? + + { + <> { +- STRING_FINISH; ++ STRING_FINISH (); + loc->start = code_start; + BEGIN INITIAL; + RETURN_VALUE (EPILOGUE, last_string); +@@ -841,7 +841,7 @@ eqopt ({sp}=)? + + Add a fallthrough "|." so that non UTF-8 input is still accepted + and does not jam the scanner. */ +- {mbchar}|. STRING_GROW; ++ {mbchar}|. STRING_GROW (); + } + + %% +diff --git a/src/scan-skel.l b/src/scan-skel.l +index d7e334d57..a5771639d 100644 +--- a/src/scan-skel.l ++++ b/src/scan-skel.l +@@ -100,7 +100,7 @@ static void output_mapped_file (char const *name); + + + { +- [^@]+ STRING_GROW; ++ [^@]+ STRING_GROW (); + + "@@" obstack_1grow (&obstack_for_string, '@'); + "@{" obstack_1grow (&obstack_for_string, '['); +diff --git a/tests/input.at b/tests/input.at +index 1dda9841e..d152de315 100644 +--- a/tests/input.at ++++ b/tests/input.at +@@ -1690,8 +1690,8 @@ AT_CLEANUP + + AT_SETUP([Unclosed constructs]) + +-# Bison's scan-gram.l once forgot to STRING_FINISH some unclosed +-# constructs, so they were prepended to whatever it STRING_GROW'ed ++# Bison's scan-gram.l once forgot to STRING_FINISH () some unclosed ++# constructs, so they were prepended to whatever it STRING_GROW ()'ed + # next. It also threw them away rather than returning them to the + # parser. The effect was confusing subsequent error messages. + diff --git a/bison.spec b/bison.spec index 629191b..eb38182 100644 --- a/bison.spec +++ b/bison.spec @@ -1,11 +1,14 @@ Name: bison Version: 3.6.4 -Release: 1 +Release: 2 Summary: A GNU general-purpose parser generator License: GPLv3+ URL: http://www.gnu.org/software/bison/ Source0: https://ftp.gnu.org/gnu/bison/bison-%{version}.tar.xz +Patch0: backport-style-prefer-FOO-to-FOO-for-function-like-macros.patch +Patch1: backport-CVE-2020-24240.patch + BuildRequires: gcc-c++ autoconf automake m4 flex Requires(post): info Requires(preun):info @@ -89,6 +92,12 @@ fi %{_datadir}/locale/*/LC_MESSAGES/bison-gnulib.mo %changelog +* Fri Jul 15 2022 fuanan - 3.6.4-2 +- Type:CVE +- ID:CVE-2020-24240 +- SUG:NA +- DESC:Fix CVE-2020-24240 + * Thu Aug 20 2020 SimpleUpdate Robot - 3.6.4-1 - Upgrade to version 3.6.4 -- Gitee