[Tarantool-patches] [PATCH luajit] Always exit after machine code page protection change fails.

Igor Munkin imun at tarantool.org
Fri Sep 1 15:46:00 MSK 2023 

From: Mike Pall <mike>

Reported by Sergey Kaplun.

(cherry picked from commit c50232eb320d56d526ba5e6cb5bda8cf5a848a55)

Unfortunately, <exit> call had been missing for a long time for the case
when <mprotect> fails within <mcode_protect>. Though the patch per se is
quite trivial, the test is not at all. It exploits the fact, that
<mprotect> is used only for protecting area for mcode or callback
function pointers. Hence, if the test doesn't use FFI at all, it is
guaranteed that the only <mprotect> called in LuaJIT runtime locates in
<mcode_protect> (that is not true for Tarantool, so the test is disabled
for integration testing routine). Furthermore, overloading <mprotect> on
macOS occurs to be not an easy ride either, so running the test on macOS
is disabled, since this is the common part for all platforms and
everything can be checked on Linux in a much more easier way.

Igor Munkin:
* added the description and the test for the problem

Part of tarantool/tarantool#8825

Signed-off-by: Igor Munkin <imun at tarantool.org>
---

Branch: https://github.com/tarantool/luajit/tree/imun/lj-802-panic-at-mcode-protfail
Tarantool PR: https://github.com/tarantool/tarantool/pull/9077
Related issues:
* https://github.com/tarantool/tarantool/issues/8825
* https://github.com/LuaJIT/LuaJIT/issues/802

Regarding the macOS and <mprotect> overriding: I tried several flags to
make this crap work, but I've finally failed to override <mprotect> via
the alternative dylib. I add the related changes right below, so anyone
curious can try my approach.

================================================================================

diff --git a/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua b/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua
index 83a9ae2e..3f28e420 100644
--- a/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua
+++ b/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua
@@ -24,7 +24,11 @@ test:plan(3)
 -- <makecmd> runs %testname%/script.lua by <LUAJIT_TEST_BINARY>
 -- with the given environment, launch options and CLI arguments.
 local script = require('utils').exec.makecmd(arg, {
-  env = { LD_PRELOAD = 'mymprotect.so' },
+  env = {
+    DYLD_LIBRARY_PATH = os.getenv('DYLD_LIBRARY_PATH'),
+    DYLD_INSERT_LIBRARIES = 'mymprotect.dylib',
+    LD_PRELOAD = 'mymprotect.so',
+  },
   redirect = '2>&1',
 })

================================================================================

This link[1] claims, that there is no way to override syscalls this way
on macOS, but I've even failed to override <malloc> or rather <memcpy>.
DYLD_FORCE_FLATE_NAMESPACE didn't change the result, all DYLD_*
debugging envvars yield some info, that looks like a gibberish to me
(comparing to LD_DEBUG=1). I'm giving up (at least for now), but I'm
open to discuss if someone is interested in debugging this.

[1]: https://stackoverflow.com/questions/929893/how-can-i-override-malloc-calloc-free-etc-under-os-x

 src/lj_mcode.c                                |  3 +-
 test/tarantool-tests/CMakeLists.txt           |  1 +
 .../lj-802-panic-at-mcode-protfail.test.lua   | 41 +++++++++++++++++++
 .../CMakeLists.txt                            |  1 +
 .../mymprotect.c                              |  6 +++
 .../lj-802-panic-at-mcode-protfail/script.lua | 12 ++++++
 6 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua
 create mode 100644 test/tarantool-tests/lj-802-panic-at-mcode-protfail/CMakeLists.txt
 create mode 100644 test/tarantool-tests/lj-802-panic-at-mcode-protfail/mymprotect.c
 create mode 100644 test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua

diff --git a/src/lj_mcode.c b/src/lj_mcode.c
index 808a9897..a88d16bd 100644
--- a/src/lj_mcode.c
+++ b/src/lj_mcode.c
@@ -180,7 +180,7 @@ static void mcode_protect(jit_State *J, int prot)
 #define MCPROT_RUN	MCPROT_RX
 
 /* Protection twiddling failed. Probably due to kernel security. */
-static LJ_NOINLINE void mcode_protfail(jit_State *J)
+static LJ_NORET LJ_NOINLINE void mcode_protfail(jit_State *J)
 {
   lua_CFunction panic = J2G(J)->panic;
   if (panic) {
@@ -188,6 +188,7 @@ static LJ_NOINLINE void mcode_protfail(jit_State *J)
     setstrV(L, L->top++, lj_err_str(L, LJ_ERR_JITPROT));
     panic(L);
   }
+  exit(EXIT_FAILURE);
 }
 
 /* Change protection of MCode area. */
diff --git a/test/tarantool-tests/CMakeLists.txt b/test/tarantool-tests/CMakeLists.txt
index 6218f76a..64c0319b 100644
--- a/test/tarantool-tests/CMakeLists.txt
+++ b/test/tarantool-tests/CMakeLists.txt
@@ -65,6 +65,7 @@ add_subdirectory(gh-6189-cur_L)
 add_subdirectory(lj-416-xor-before-jcc)
 add_subdirectory(lj-601-fix-gc-finderrfunc)
 add_subdirectory(lj-727-lightuserdata-itern)
+add_subdirectory(lj-802-panic-at-mcode-protfail)
 add_subdirectory(lj-flush-on-trace)
 
 # The part of the memory profiler toolchain is located in tools
diff --git a/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua b/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua
new file mode 100644
index 00000000..83a9ae2e
--- /dev/null
+++ b/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua
@@ -0,0 +1,41 @@
+local tap = require('tap')
+local test = tap.test('lj-flush-on-trace'):skipcond({
+  ['Test requires JIT enabled'] = not jit.status(),
+  ['Disabled on *BSD due to #4819'] = jit.os == 'BSD',
+  -- XXX: This test has to check the particular patch for
+  -- <mcode_protfail> and <mprotect> is overloaded for this
+  -- purpose. However, <mprotect> is used widely in Tarantool
+  -- to play with fiber stacks, so overriding <mprotect> is not
+  -- suitable to test this feature in Tarantool.
+  -- luacheck: no global
+  ['<mprotect> overriding can break Tarantool'] = _TARANTOOL,
+  -- XXX: Unfortunately, it's too hard to overload (or even
+  -- impossible, who knows, since Cupertino fellows do not
+  -- provide any information about their system) something from
+  -- libsystem_kernel.dylib (the library providing <mprotect>).
+  -- All in all, this test checks the part, that is common for all
+  -- platforms, so it's not vital to run this test on macOS, since
+  -- everything can be checked on Linux in a much more easier way.
+  ['<mprotect> cannot be overridden on macOS'] = jit.os == 'OSX',
+})
+
+test:plan(3)
+
+-- <makecmd> runs %testname%/script.lua by <LUAJIT_TEST_BINARY>
+-- with the given environment, launch options and CLI arguments.
+local script = require('utils').exec.makecmd(arg, {
+  env = { LD_PRELOAD = 'mymprotect.so' },
+  redirect = '2>&1',
+})
+
+-- See the rationale for this poison hack in the script.lua.
+local poison = '"runtime code generation succeed"'
+local output = script(poison)
+test:like(output, 'runtime code generation failed, restricted kernel%?',
+          'Panic occurred as a result of <mprotect> failure')
+test:unlike(output, 'Segmentation fault',
+            'LuaJIT exited as a result of the panic (error check)')
+test:unlike(output, poison,
+            'LuaJIT exited as a result of the panic (poison check)')
+
+test:done(true)
diff --git a/test/tarantool-tests/lj-802-panic-at-mcode-protfail/CMakeLists.txt b/test/tarantool-tests/lj-802-panic-at-mcode-protfail/CMakeLists.txt
new file mode 100644
index 00000000..25520a1a
--- /dev/null
+++ b/test/tarantool-tests/lj-802-panic-at-mcode-protfail/CMakeLists.txt
@@ -0,0 +1 @@
+BuildTestCLib(mymprotect mymprotect.c)
diff --git a/test/tarantool-tests/lj-802-panic-at-mcode-protfail/mymprotect.c b/test/tarantool-tests/lj-802-panic-at-mcode-protfail/mymprotect.c
new file mode 100644
index 00000000..65763b1b
--- /dev/null
+++ b/test/tarantool-tests/lj-802-panic-at-mcode-protfail/mymprotect.c
@@ -0,0 +1,6 @@
+#include <stddef.h>
+
+int mprotect(void *addr, size_t len, int prot)
+{
+	return -1;
+}
diff --git a/test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua b/test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua
new file mode 100644
index 00000000..661099fa
--- /dev/null
+++ b/test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua
@@ -0,0 +1,12 @@
+jit.opt.start('hotloop=1')
+
+-- Run a simple loop that triggers <mprotect> on trace assembling.
+local a = 0
+for i = 1, 3 do
+  a = a + i
+end
+
+-- XXX: Just a simple contract output in case neither panic at
+-- <mprotect>, nor crash occurs (see for LUAJIT_UNPROTECT_MCODE in
+-- lj_mcode.c for more info).
+io.write(arg[1])
-- 
2.30.2

More information about the Tarantool-patches mailing list