Cross-compilation of dist/Storable fails

[p5pRT]

Migrated from rt.perl.org#133411 (status was 'resolved')

Searchable as RT133411$

[p5pRT]

From philipp@cpan.org

I’m the package maintainer for Perl on OpenWrt.

We’re trying to ship 5.28.0 since 5.26.2 and below have the Archive​::Tar CVE-2018-12015.

Unfortunately, dist/Storable/stacksize is not a cross-compilation friendly script, since it assumes that one is never cross-compiling. Clearly that’s not the case.

The bug manifests as​:

cd dist/Storable ; LD_LIBRARY_PATH=/home/philipp/lede/build_dir/target-x86_64_musl/perl/perl-5.28.0 make lib/Storable/Limit.pm
make[4]​: Entering directory '/home/philipp/lede/build_dir/target-x86_64_musl/perl/perl-5.28.0/dist/Storable'
/home/philipp/lede/build_dir/target-x86_64_musl/perl/perl-5.28.0/dist/Storable/../../../../../../staging_dir/hostpkg/usr/bin/perl "-I../../lib" -MExtUtils​::Command -e 'mkpath' -- ../../lib
"../../../../../../staging_dir/hostpkg/usr/bin/perl" "-I../../lib" "-I../../lib" stacksize --core
Should not run during miniperl
Makefile​:283​: recipe for target 'lib/Storable/Limit.pm' failed
make[4]​: *** [lib/Storable/Limit.pm] Error 255
make[4]​: Leaving directory '/home/philipp/lede/build_dir/target-x86_64_musl/perl/perl-5.28.0/dist/Storable'
Makefile​:446​: recipe for target 'dist/Storable/lib/Storable/Limit.pm' failed
make[3]​: *** [dist/Storable/lib/Storable/Limit.pm] Error 2

And it’s exactly because we are cross-compiling that we build and use miniperl, as well as setting​:

usecrosscompile=‘define’

in config.sh.

We’ve been calling out this issue for almost a month now, and it’s the sole blocker to updating our distro's migration to 5.28.0 and hence mitigating the CVE.

This is urgent.

Thanks

========
philipp@​ubuntu16​:~/lede/build_dir/target-x86_64_musl/perl/perl-5.28.0$ ./miniperl -V
Summary of my perl5 (revision 5 version 28 subversion 0) configuration​:

Platform​:
  osname=linux
  osvers=4.8.0-58-generic
  archname=x86_64-linux-thread-multi
  uname='linux ubuntu16 4.8.0-58-generic #63~16.04.1-ubuntu smp mon jun 26 18​:08​:51 utc 2017 x86_64 x86_64 x86_64 gnulinux '
  config_args='-der -Uusedl -Duserelocatableinc -Dprefix=/home/philipp/lede/staging_dir/hostpkg/usr -Dusethreads'
  hint=recommended
  useposix=true
  d_sigaction=define
  useithreads=define
  usemultiplicity=define
  use64bitint=define
  use64bitall=define
  uselongdouble=undef
  usemymalloc=n
  default_inc_excludes_dot=define
  bincompat5005=undef
Compiler​:
  cc='cc'
  ccflags ='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
  optimize='-O2'
  cppflags='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion=''
  gccversion='5.4.0 20160609'
  gccosandvers=''
  intsize=4
  longsize=8
  ptrsize=8
  doublesize=8
  byteorder=12345678
  doublekind=3
  d_longlong=define
  longlongsize=8
  d_longdbl=define
  longdblsize=16
  longdblkind=3
  ivtype='long'
  ivsize=8
  nvtype='double'
  nvsize=8
  Off_t='off_t'
  lseeksize=8
  alignbytes=8
  prototype=define
Linker and Libraries​:
  ld='ld'
  ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/5/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.23.so
  so=so
  useshrplib=false
  libperl=libperl.a
  gnulibc_version='2.23'
Dynamic Linking​:
  dlsrc=dl_none.xs
  dlext=none
  d_dlsymun=undef
  ccdlflags=''
  cccdlflags=''
  lddlflags=''

Characteristics of this binary (from libperl)​:
Compile-time options​:
  HAS_TIMES
  MULTIPLICITY
  PERLIO_LAYERS
  PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_IMPLICIT_CONTEXT
  PERL_MALLOC_WRAP
  PERL_OP_PARENT
  PERL_PRESERVE_IVUV
  USE_64_BIT_ALL
  USE_64_BIT_INT
  USE_ITHREADS
  USE_LARGE_FILES
  USE_LOCALE
  USE_LOCALE_COLLATE
  USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC
  USE_LOCALE_TIME
  USE_PERLIO
  USE_PERL_ATOF
  USE_REENTRANT_API
Built under linux
@​INC​:
  /home/philipp/lede/staging_dir/hostpkg/usr/lib/perl5/site_perl/5.28.0/x86_64-linux-thread-multi
  /home/philipp/lede/staging_dir/hostpkg/usr/lib/perl5/site_perl/5.28.0
  /home/philipp/lede/staging_dir/hostpkg/usr/lib/perl5/5.28.0/x86_64-linux-thread-multi
  /home/philipp/lede/staging_dir/hostpkg/usr/lib/perl5/5.28.0

[p5pRT]

From @tonycoz

On Sun, 29 Jul 2018 21​:10​:00 -0700, philipp@​cpan.org wrote​:

I’m the package maintainer for Perl on OpenWrt.

We’re trying to ship 5.28.0 since 5.26.2 and below have the
Archive​::Tar CVE-2018-12015.

Unfortunately, dist/Storable/stacksize is not a cross-compilation
friendly script, since it assumes that one is never cross-compiling.
Clearly that’s not the case.

The bug manifests as​:

cd dist/Storable ;
LD_LIBRARY_PATH=/home/philipp/lede/build_dir/target-
x86_64_musl/perl/perl-5.28.0 make lib/Storable/Limit.pm
make[4]​: Entering directory '/home/philipp/lede/build_dir/target-
x86_64_musl/perl/perl-5.28.0/dist/Storable'
/home/philipp/lede/build_dir/target-x86_64_musl/perl/perl-
5.28.0/dist/Storable/../../../../../../staging_dir/hostpkg/usr/bin/perl
"-I../../lib" -MExtUtils​::Command -e 'mkpath' -- ../../lib
"../../../../../../staging_dir/hostpkg/usr/bin/perl" "-I../../lib" "-
I../../lib" stacksize --core
Should not run during miniperl

Please try the attached.

Tony

[p5pRT]

From @tonycoz

0001-perl-133411-don-t-try-to-load-Storable-with-Dusecros.patch

From 682a4acb98783a7f9b5c286b308f12863599fec3 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 30 Jul 2018 21:00:52 +1000
Subject: (perl #133411) don't try to load Storable with -Dusecrosscompile

---
 dist/Storable/Makefile.PL |  9 ++++++++-
 dist/Storable/stacksize   | 10 +++++++---
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/dist/Storable/Makefile.PL b/dist/Storable/Makefile.PL
index a5d9e66891..db420ab30b 100644
--- a/dist/Storable/Makefile.PL
+++ b/dist/Storable/Makefile.PL
@@ -95,11 +95,18 @@ sub depend {
         # blib.pm needs arch/lib
         $extra_deps = ' Storable.pm';
     }
+    my $whichperl;
+    if ($Config::Config{usecrosscompile}) {
+        $whichperl = '$(PERLRUN)';
+    }
+    else {
+        $whichperl = '$(FULLPERLRUNINST)';
+    }
     my $linktype = uc($_[0]->{LINKTYPE});
     "
 $limit_pm : stacksize \$(INST_$linktype)$extra_deps
 	\$(MKPATH) \$(INST_LIB)
-	\$(FULLPERLRUNINST) stacksize $options
+	$whichperl stacksize $options
 
 release : dist
 	git tag \$(VERSION)
diff --git a/dist/Storable/stacksize b/dist/Storable/stacksize
index 7abd3a84cc..14e0739734 100644
--- a/dist/Storable/stacksize
+++ b/dist/Storable/stacksize
@@ -7,6 +7,9 @@ use Cwd;
 use File::Spec;
 use strict;
 
+-d "lib" or mkdir "lib";
+-d "lib/Storable" or mkdir "lib/Storable";
+
 my $fn = "lib/Storable/Limit.pm";
 my $ptrsize = $Config{ptrsize};
 my ($bad1, $bad2) = (65001, 25000);
@@ -29,6 +32,10 @@ sub is_miniperl {
 }
 
 if (is_miniperl()) {
+    if ($Config{usecrosscompile}) {
+        write_limits(500, 265);
+        exit;
+    }
     die "Should not run during miniperl\n";
 }
 my $prefix = "";
@@ -68,9 +75,6 @@ if ($ENV{PERL_CORE}) {
     }
 }
 
--d "lib" or mkdir "lib";
--d "lib/Storable" or mkdir "lib/Storable";
-
 if ($^O eq "MSWin32") {
     require Win32;
     my ($str, $major, $minor) = Win32::GetOSVersion();
-- 
2.11.0

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From philipp@cpan.org

On Jul 30, 2018, at 5​:01 AM, Tony Cook via RT <perlbug-followup@​perl.org> wrote​:

Please try the attached.

Tony
From 682a4acb98783a7f9b5c286b308f12863599fec3 Mon Sep 17 00​:00​:00 2001
From​: Tony Cook <tony@​develop-help.com>
Date​: Mon, 30 Jul 2018 21​:00​:52 +1000
Subject​: (perl #133411) don't try to load Storable with -Dusecrosscompile

[snip]

Seems to be working! Thanks.

Had to tweak it slight to get it to work with 5.28.0 and not “blead/master”​:

openwrt/packages#6623

[p5pRT]

From @tonycoz

On Mon, 30 Jul 2018 16​:12​:05 -0700, philipp@​cpan.org wrote​:

On Jul 30, 2018, at 5​:01 AM, Tony Cook via RT <perlbug-
followup@​perl.org> wrote​:

Please try the attached.

Tony
From 682a4acb98783a7f9b5c286b308f12863599fec3 Mon Sep 17 00​:00​:00
2001
From​: Tony Cook <tony@​develop-help.com>
Date​: Mon, 30 Jul 2018 21​:00​:52 +1000
Subject​: (perl #133411) don't try to load Storable with
-Dusecrosscompile

[snip]

Seems to be working! Thanks.

Had to tweak it slight to get it to work with 5.28.0 and not
“blead/master”​:

openwrt/packages#6623

Thanks for the feedback, applied to blead as edf639f

Tony

[p5pRT]

@tonycoz - Status changed from 'open' to 'pending release'

[p5pRT]

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.30.0, this and 160 other issues have been
resolved.

Perl 5.30.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.30.0

If you find that the problem persists, feel free to reopen this ticket.

[p5pRT]

@khwilliamson - Status changed from 'pending release' to 'resolved'