[Tarantool-patches] [PATCH luajit] FFI: Fix pragma push stack limit check and throw on overflow.
Igor Munkin
imun at tarantool.org
Wed Nov 8 21:39:59 MSK 2023
Sergey,
Thanks for the patch! LGTM, with a single nit below.
On 08.11.23, Sergey Kaplun wrote:
> From: Mike Pall <mike>
>
> Reported by Sergey Kaplun.
>
> (cherry-picked from commit 433d7e8d8d182f44e88b5cfdc4b2d3026469dfb7)
>
> `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK` (7). Before
> the patch, `cp->curpack` is checked to be less than
> `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at
> `cp->curpack + 1`, which is out of bounds, so `cp->curpack` value is
> overwritten.
>
> This patch fixes a condition and also adds the error throw when counter
> is overflow (instead of rewriting a top `cp->packstack` value).
>
> Sergey Kaplun:
> * added the description and the test for the problem
>
> Resolves tarantool/tarantool#9339
> Part of tarantool/tarantool#9145
> ---
>
> Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1114-ffi-pragma-pack
> Tarantool PR: https://github.com/tarantool/tarantool/pull/9342
> Relate issues:
> * https://github.com/LuaJIT/LuaJIT/issues/1114
> * https://github.com/tarantool/tarantool/issues/9339
> * https://github.com/tarantool/tarantool/issues/9145
>
> src/lj_cparse.c | 4 +-
> .../lj-1114-ffi-pragma-pack.test.lua | 44 +++++++++++++++++++
> 2 files changed, 47 insertions(+), 1 deletion(-)
> create mode 100644 test/tarantool-tests/lj-1114-ffi-pragma-pack.test.lua
>
<snipped>
> diff --git a/test/tarantool-tests/lj-1114-ffi-pragma-pack.test.lua b/test/tarantool-tests/lj-1114-ffi-pragma-pack.test.lua
> new file mode 100644
> index 00000000..e5642828
> --- /dev/null
> +++ b/test/tarantool-tests/lj-1114-ffi-pragma-pack.test.lua
> @@ -0,0 +1,44 @@
> +local tap = require('tap')
> +
> +-- Test file to demonstrate LuaJIT incorrect parsing of `#pragma`
> +-- directive via FFI.
> +-- See also: https://github.com/LuaJIT/LuaJIT/issues/1114.
> +
> +local test = tap.test('lj-1114-ffi-pragma-pack')
> +local ffi = require 'ffi'
Please use parantheses here too.
> +
> +test:plan(2)
> +
> +-- `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK`
> +-- (7). Before the patch, `cp->curpack` is checked to be less than
> +-- `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at
> +-- `cp->curpack + 1`, which is out of bounds, so `cp->curpack`
> +-- value is overwritten.
> +-- As a result, the incorrect pack value (1) is chosen after pop.
> +-- After the patch, the error is thrown in the case of overflow
> +-- (instead of rewriting the top pack slot value), so we use the
> +-- wrapper to catch the error.
> +local function ffi_cdef_wp()
> + ffi.cdef[[
> + #pragma pack(push, 1)
> + #pragma pack(push, 1)
> + #pragma pack(push, 1)
> + #pragma pack(push, 1)
> + #pragma pack(push, 8)
> + #pragma pack(push, 8)
> + #pragma pack(push, 8)
> + #pragma pack(pop)
> + struct aligned_struct {uint64_t a; uint8_t b;};
> + ]]
> +
> + -- Got 9 in case of buffer overflow.
> + return ffi.sizeof(ffi.new('struct aligned_struct'))
> +end
> +
> +local err, msg = pcall(ffi_cdef_wp)
> +
> +test:ok(not err, 'the error is thrown when couner overflows')
> +test:like(msg, 'chunk has too many syntax levels',
> + 'the error message is correct')
> +
> +test:done(true)
> --
> 2.42.0
>
--
Best regards,
IM
More information about the Tarantool-patches
mailing list