New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[svace] buffer overflow at third_party/luajit/src/lj_cparse.c:1781 #9339
Comments
Buristan
pushed a commit
to tarantool/luajit
that referenced
this issue
Nov 8, 2023
Reported by Sergey Kaplun. (cherry-picked from commit 433d7e8) `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK` (7). Before the patch, `cp->curpack` is checked to be less than `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at `cp->curpack + 1`, which is out of bounds, so `cp->curpack` value is overwritten. This patch fixes a condition and also adds the error throw when counter is overflow (instead of rewriting a top `cp->packstack` value). Sergey Kaplun: * added the description and the test for the problem Resolves tarantool/tarantool#9339 Part of tarantool/tarantool#9145
Buristan
pushed a commit
to tarantool/luajit
that referenced
this issue
Nov 9, 2023
Reported by Sergey Kaplun. (cherry-picked from commit 433d7e8) `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK` (7). Before the patch, `cp->curpack` is checked to be less than `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at `cp->curpack + 1`, which is out of bounds, so `cp->curpack` value is overwritten. This patch fixes a condition and also adds the error throw when counter is overflow (instead of rewriting a top `cp->packstack` value). Sergey Kaplun: * added the description and the test for the problem Resolves tarantool/tarantool#9339 Part of tarantool/tarantool#9145
igormunkin
pushed a commit
to tarantool/luajit
that referenced
this issue
Nov 9, 2023
Reported by Sergey Kaplun. (cherry-picked from commit 433d7e8) `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK` (7). Before the patch, `cp->curpack` is checked to be less than `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at `cp->curpack + 1`, which is out of bounds, so `cp->curpack` value is overwritten. This patch fixes a condition and also adds the error throw when counter is overflow (instead of rewriting a top `cp->packstack` value). Sergey Kaplun: * added the description and the test for the problem Resolves tarantool/tarantool#9339 Part of tarantool/tarantool#9145
igormunkin
pushed a commit
to tarantool/luajit
that referenced
this issue
Nov 9, 2023
Reported by Sergey Kaplun. (cherry-picked from commit 433d7e8) `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK` (7). Before the patch, `cp->curpack` is checked to be less than `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at `cp->curpack + 1`, which is out of bounds, so `cp->curpack` value is overwritten. This patch fixes a condition and also adds the error throw when counter is overflow (instead of rewriting a top `cp->packstack` value). Sergey Kaplun: * added the description and the test for the problem Resolves tarantool/tarantool#9339 Part of tarantool/tarantool#9145 Reviewed-by: Igor Munkin <imun@tarantool.org> Reviewed-by: Maxim Kokryashkin <m.kokryashkin@tarantool.org> Signed-off-by: Igor Munkin <imun@tarantool.org> (cherry picked from commit 7e15197)
igormunkin
pushed a commit
to tarantool/luajit
that referenced
this issue
Nov 9, 2023
Reported by Sergey Kaplun. (cherry-picked from commit 433d7e8) `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK` (7). Before the patch, `cp->curpack` is checked to be less than `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at `cp->curpack + 1`, which is out of bounds, so `cp->curpack` value is overwritten. This patch fixes a condition and also adds the error throw when counter is overflow (instead of rewriting a top `cp->packstack` value). Sergey Kaplun: * added the description and the test for the problem Resolves tarantool/tarantool#9339 Part of tarantool/tarantool#9145 Reviewed-by: Igor Munkin <imun@tarantool.org> Reviewed-by: Maxim Kokryashkin <m.kokryashkin@tarantool.org> Signed-off-by: Igor Munkin <imun@tarantool.org> (cherry picked from commit 7e15197)
igormunkin
added a commit
to igormunkin/tarantool
that referenced
this issue
Nov 21, 2023
* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes tarantool#8594 Closes tarantool#8767 Closes tarantool#9339 Part of tarantool#9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump
igormunkin
added a commit
to igormunkin/tarantool
that referenced
this issue
Nov 21, 2023
* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * test: fix flaky OOM error frame test * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes tarantool#8594 Closes tarantool#8767 Closes tarantool#9339 Part of tarantool#9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump
igormunkin
added a commit
to igormunkin/tarantool
that referenced
this issue
Nov 21, 2023
* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes tarantool#8594 Closes tarantool#8767 Closes tarantool#9339 Part of tarantool#9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump
This was referenced Nov 21, 2023
igormunkin
added a commit
that referenced
this issue
Nov 21, 2023
* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * test: fix flaky OOM error frame test * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes #8594 Closes #8767 Closes #9339 Part of #9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump
igormunkin
added a commit
that referenced
this issue
Nov 21, 2023
* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes #8594 Closes #8767 Closes #9339 Part of #9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump
igormunkin
added a commit
that referenced
this issue
Nov 21, 2023
* Mark CONV as non-weak, to prevent elimination of its side-effect. * Fix ABC FOLD rule with constants. * test: add test for conversions folding * Add NaN check to IR_NEWREF. * LJ_GC64: Fix lua_concat(). * test: introduce asserts assert_str{_not}_equal * ci: enable codespell * cmake: introduce target with codespell * codehealth: fix typos * tools: add cli flag to run profile dump parsers * profilers: purge generation mechanism * memprof: refactor symbol resolution * sysprof: fix crash during FFUNC stream * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * x86/x64: Fix math.ceil(-0.9) result sign. * test: fix flaky fix-jit-dump-ir-conv.test.lua * IR_MIN/IR_MAX is non-commutative due to underlying FPU ops. * Fix jit.dump() output for IR_CONV. * Fix FOLD rule for x-0. * FFI: Fix pragma push stack limit check and throw on overflow. * Prevent compile of __concat with tailcall to fast function. * Fix base register coalescing in side trace. * Fix register mask for stack check in head of side trace. * x64: Properly fix __call metamethod return dispatch. Closes #8594 Closes #8767 Closes #9339 Part of #9145 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Found by svace: report
https://github.com/tarantool/luajit/blob/52e7daa38ca4f9447c2db306618ba2e7e566c8e6/src/lj_cparse.c#L1780-L1782
cp->packstack
is of sizeCPARSE_MAX_PACKSTACK
.cp->curpack
is checked to be less thanCPARSE_MAX_PACKSTACK
, but thencp->packstack
is accessed atcp->curpack + 1
, which is out of bounds.Another issue, seems to be fixed by the same patch:
report
cp->curpack
is incremented ifcp->curpack
is less thanCPARSE_MAX_PACKSTACK
. Thencp->packstack
is accessed atcp->curpack
, which is now equal toCPARS_MAX_PACKSTACK
.The text was updated successfully, but these errors were encountered: