Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport CVE-2020-24370's patch #15847

Merged
merged 1 commit into from
Feb 7, 2024

Conversation

the-Chain-Warden-thresh
Copy link
Contributor

CVE-2020-24370 is a security vulnerability in lua. Although the CVE decription in CVE-2020-24370 said that this CVE only affected lua 5.4.0, according to lua this CVE actually existed since lua 5.2. The root cause of this CVE is the negation overflow that occurs when you try to take the negative of 0x80000000. Thus, this CVE also exists in openzfs.
Try to backport the fix to the lua in openzfs since the original fix is for 5.4 and several functions have been changed.

@tonyhutter
Copy link
Contributor

Checkstyle is failing because you need to add a Signed-off line with your name and email to the commit. For example:

This is my commit

Signed-off-by: Tony Hutter <hutter2@llnl.gov>

@the-Chain-Warden-thresh
Copy link
Contributor Author

Checkstyle is failing because you need to add a Signed-off line with your name and email to the commit. For example:

This is my commit

Signed-off-by: Tony Hutter <hutter2@llnl.gov>

Thanks a lot for your comment here and the issue! I'll work on it later and try again for the check.

@behlendorf behlendorf added the Status: Code Review Needed Ready for review and testing label Feb 2, 2024
@tonyhutter
Copy link
Contributor

tonyhutter commented Feb 6, 2024

checkstyle is now reporting:

error: commit subject over 72 characters

I believe you've added your Signed-off-by line to the subject line:
Subject: [PATCH] Backport CVE-2020-24370's patch Signed-off-by: ChenHao Lu <18302010006@fudan.edu.cn>

Here's what I would suggest for your commit message:

LUA: Backport CVE-2020-24370's patch

CVE-2020-24370 is a security vulnerability in lua. Although the CVE
decription in CVE-2020-24370 said that this CVE only affected lua 5.4.0,
according to lua this CVE actually existed since lua 5.2. The root cause of
this CVE is the negation overflow that occurs when you try to take the
negative of 0x80000000. Thus, this CVE also exists in openzfs.  Try to backport
the fix to the lua in openzfs since the original fix is for 5.4 and several
functions have been changed.

https://github.com/advisories/GHSA-gfr4-c37g-mm3v
https://nvd.nist.gov/vuln/detail/CVE-2020-24370
https://www.lua.org/bugs.html#5.4.0-11
https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b

Signed-off-by: ChenHao Lu <18302010006@fudan.edu.cn>

@the-Chain-Warden-thresh
Copy link
Contributor Author

checkstyle is now reporting:

error: commit subject over 72 characters

I believe you've added your Signed-off-by line to the subject line: Subject: [PATCH] Backport CVE-2020-24370's patch Signed-off-by: ChenHao Lu <18302010006@fudan.edu.cn>

Here's what I would suggest for your commit message:

LUA: Backport CVE-2020-24370's patch

CVE-2020-24370 is a security vulnerability in lua. Although the CVE
decription in CVE-2020-24370 said that this CVE only affected lua 5.4.0,
according to lua this CVE actually existed since lua 5.2. The root cause of
this CVE is the negation overflow that occurs when you try to take the
negative of 0x80000000. Thus, this CVE also exists in openzfs.  Try to backport
the fix to the lua in openzfs since the original fix is for 5.4 and several
functions have been changed.

https://github.com/advisories/GHSA-gfr4-c37g-mm3v
https://nvd.nist.gov/vuln/detail/CVE-2020-24370
https://www.lua.org/bugs.html#5.4.0-11
https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b

Signed-off-by: ChenHao Lu <18302010006@fudan.edu.cn>

Get it. I'll change my commit message as you've suggested.

@the-Chain-Warden-thresh the-Chain-Warden-thresh force-pushed the master branch 2 times, most recently from 79e4885 to 4804d8d Compare February 7, 2024 09:12
CVE-2020-24370 is a security vulnerability in lua. Although the CVE
decription in CVE-2020-24370 said that this CVE only affected lua
5.4.0, according to lua this CVE actually existed since lua 5.2. The
root cause of this CVE is the negation overflow that occurs when you
try to take the negative of 0x80000000. Thus, this CVE also exists in
openzfs. Try to backportthe fix to the lua in openzfs since the
original fix is for 5.4 and several functions have been changed.

GHSA-gfr4-c37g-mm3v
https://nvd.nist.gov/vuln/detail/CVE-2020-24370
https://www.lua.org/bugs.html#5.4.0-11
lua/lua@a585eae

Signed-off-by: ChenHao Lu <18302010006@fudan.edu.cn>
Copy link
Contributor

@tonyhutter tonyhutter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@behlendorf behlendorf added Status: Accepted Ready to integrate (reviewed, tested) and removed Status: Code Review Needed Ready for review and testing labels Feb 7, 2024
@behlendorf behlendorf merged commit 229b9f4 into openzfs:master Feb 7, 2024
21 of 25 checks passed
behlendorf pushed a commit that referenced this pull request Feb 13, 2024
CVE-2020-24370 is a security vulnerability in lua. Although the CVE
description in CVE-2020-24370 said that this CVE only affected lua
5.4.0, according to lua this CVE actually existed since lua 5.2. The
root cause of this CVE is the negation overflow that occurs when you
try to take the negative of 0x80000000. Thus, this CVE also exists in
openzfs. Try to backport the fix to the lua in openzfs since the
original fix is for 5.4 and several functions have been changed.

GHSA-gfr4-c37g-mm3v
https://nvd.nist.gov/vuln/detail/CVE-2020-24370
https://www.lua.org/bugs.html#5.4.0-11
lua/lua@a585eae

Reviewed-by: Tony Hutter <hutter2@llnl.gov>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: ChenHao Lu <18302010006@fudan.edu.cn>
Closes #15847
tonyhutter pushed a commit that referenced this pull request Feb 22, 2024
CVE-2020-24370 is a security vulnerability in lua. Although the CVE
description in CVE-2020-24370 said that this CVE only affected lua
5.4.0, according to lua this CVE actually existed since lua 5.2. The
root cause of this CVE is the negation overflow that occurs when you
try to take the negative of 0x80000000. Thus, this CVE also exists in
openzfs. Try to backport the fix to the lua in openzfs since the
original fix is for 5.4 and several functions have been changed.

GHSA-gfr4-c37g-mm3v
https://nvd.nist.gov/vuln/detail/CVE-2020-24370
https://www.lua.org/bugs.html#5.4.0-11
lua/lua@a585eae

Reviewed-by: Tony Hutter <hutter2@llnl.gov>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: ChenHao Lu <18302010006@fudan.edu.cn>
Closes #15847
lundman pushed a commit to openzfsonwindows/openzfs that referenced this pull request Mar 13, 2024
CVE-2020-24370 is a security vulnerability in lua. Although the CVE
description in CVE-2020-24370 said that this CVE only affected lua
5.4.0, according to lua this CVE actually existed since lua 5.2. The
root cause of this CVE is the negation overflow that occurs when you
try to take the negative of 0x80000000. Thus, this CVE also exists in
openzfs. Try to backport the fix to the lua in openzfs since the
original fix is for 5.4 and several functions have been changed.

GHSA-gfr4-c37g-mm3v
https://nvd.nist.gov/vuln/detail/CVE-2020-24370
https://www.lua.org/bugs.html#5.4.0-11
lua/lua@a585eae

Reviewed-by: Tony Hutter <hutter2@llnl.gov>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: ChenHao Lu <18302010006@fudan.edu.cn>
Closes openzfs#15847
lundman pushed a commit to openzfsonwindows/openzfs that referenced this pull request Mar 13, 2024
CVE-2020-24370 is a security vulnerability in lua. Although the CVE
description in CVE-2020-24370 said that this CVE only affected lua
5.4.0, according to lua this CVE actually existed since lua 5.2. The
root cause of this CVE is the negation overflow that occurs when you
try to take the negative of 0x80000000. Thus, this CVE also exists in
openzfs. Try to backport the fix to the lua in openzfs since the
original fix is for 5.4 and several functions have been changed.

GHSA-gfr4-c37g-mm3v
https://nvd.nist.gov/vuln/detail/CVE-2020-24370
https://www.lua.org/bugs.html#5.4.0-11
lua/lua@a585eae

Reviewed-by: Tony Hutter <hutter2@llnl.gov>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: ChenHao Lu <18302010006@fudan.edu.cn>
Closes openzfs#15847
lundman pushed a commit to openzfsonwindows/openzfs that referenced this pull request Mar 13, 2024
CVE-2020-24370 is a security vulnerability in lua. Although the CVE
description in CVE-2020-24370 said that this CVE only affected lua
5.4.0, according to lua this CVE actually existed since lua 5.2. The
root cause of this CVE is the negation overflow that occurs when you
try to take the negative of 0x80000000. Thus, this CVE also exists in
openzfs. Try to backport the fix to the lua in openzfs since the
original fix is for 5.4 and several functions have been changed.

GHSA-gfr4-c37g-mm3v
https://nvd.nist.gov/vuln/detail/CVE-2020-24370
https://www.lua.org/bugs.html#5.4.0-11
lua/lua@a585eae

Reviewed-by: Tony Hutter <hutter2@llnl.gov>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: ChenHao Lu <18302010006@fudan.edu.cn>
Closes openzfs#15847
datty pushed a commit to datty/zfsonlinux that referenced this pull request Jun 13, 2024
mostly support for newer kernel-versions, and fixes for the BRT bugs
discovered with 2.2.0 (BRT remains disabled by default).

The update contains a fix for CVE-2020-24370 in lua (which is present
in ZFS for channel-programs, which we do not use) - see:
openzfs/zfs#15847 for more details.

One patch from Stefan Lendl was backported and is now in the ZFS 2.2
branch.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: Accepted Ready to integrate (reviewed, tested)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants