[svace] buffer overflow at third_party/luajit/src/lj_cparse.c:1781 #9339

sergepetrenko · 2023-11-07T15:12:05Z

Found by svace: report

https://github.com/tarantool/luajit/blob/52e7daa38ca4f9447c2db306618ba2e7e566c8e6/src/lj_cparse.c#L1780-L1782

cp->packstack is of size CPARSE_MAX_PACKSTACK. cp->curpack is checked to be less than CPARSE_MAX_PACKSTACK, but then cp->packstack is accessed at cp->curpack + 1, which is out of bounds.

Another issue, seems to be fixed by the same patch:
report
cp->curpack is incremented if cp->curpack is less than CPARSE_MAX_PACKSTACK. Then cp->packstack is accessed at cp->curpack, which is now equal to CPARS_MAX_PACKSTACK.

The text was updated successfully, but these errors were encountered:

Reported by Sergey Kaplun. (cherry-picked from commit 433d7e8) `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK` (7). Before the patch, `cp->curpack` is checked to be less than `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at `cp->curpack + 1`, which is out of bounds, so `cp->curpack` value is overwritten. This patch fixes a condition and also adds the error throw when counter is overflow (instead of rewriting a top `cp->packstack` value). Sergey Kaplun: * added the description and the test for the problem Resolves tarantool/tarantool#9339 Part of tarantool/tarantool#9145

Reported by Sergey Kaplun. (cherry-picked from commit 433d7e8) `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK` (7). Before the patch, `cp->curpack` is checked to be less than `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at `cp->curpack + 1`, which is out of bounds, so `cp->curpack` value is overwritten. This patch fixes a condition and also adds the error throw when counter is overflow (instead of rewriting a top `cp->packstack` value). Sergey Kaplun: * added the description and the test for the problem Resolves tarantool/tarantool#9339 Part of tarantool/tarantool#9145 Reviewed-by: Igor Munkin <imun@tarantool.org> Reviewed-by: Maxim Kokryashkin <m.kokryashkin@tarantool.org> Signed-off-by: Igor Munkin <imun@tarantool.org> (cherry picked from commit 7e15197)

* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes tarantool#8594 Closes tarantool#8767 Closes tarantool#9339 Part of tarantool#9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump

* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * test: fix flaky OOM error frame test * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes tarantool#8594 Closes tarantool#8767 Closes tarantool#9339 Part of tarantool#9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump

* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes tarantool#8594 Closes tarantool#8767 Closes tarantool#9339 Part of tarantool#9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump

* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * test: fix flaky OOM error frame test * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes #8594 Closes #8767 Closes #9339 Part of #9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump

* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes #8594 Closes #8767 Closes #9339 Part of #9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump

sergepetrenko added bug Something isn't working luajit labels Nov 7, 2023

sergepetrenko assigned igormunkin Nov 7, 2023

Buristan mentioned this issue Nov 7, 2023

cp->packstack buffer overflow in cp_pragma() LuaJIT/LuaJIT#1114

Closed

Buristan self-assigned this Nov 8, 2023

igormunkin closed this as completed in tarantool/luajit@7e15197 Nov 9, 2023

igormunkin mentioned this issue Nov 21, 2023

luajit: bump new version #9388

Merged

This was referenced Nov 21, 2023

[backport/release/2.11] luajit: bump new version #9389

Merged

[backport/release/2.10] luajit: bump new version #9390

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[svace] buffer overflow at third_party/luajit/src/lj_cparse.c:1781 #9339

[svace] buffer overflow at third_party/luajit/src/lj_cparse.c:1781 #9339

sergepetrenko commented Nov 7, 2023 •

edited

[svace] buffer overflow at third_party/luajit/src/lj_cparse.c:1781 #9339

[svace] buffer overflow at third_party/luajit/src/lj_cparse.c:1781 #9339

Comments

sergepetrenko commented Nov 7, 2023 • edited

sergepetrenko commented Nov 7, 2023 •

edited