[Tarantool-patches] [PATCH luajit] Fix predict_next() in parser (again).
Igor Munkin
imun at tarantool.org
Wed Sep 27 15:33:15 MSK 2023
Sergey,
I've checked the patchset into all long-term branches in
tarantool/luajit and bumped a new version in master, release/2.11 and
release/2.10.
On 29.08.23, Sergey Bronnikov via Tarantool-patches wrote:
> From: sergeyb at tarantool.org
>
> Reported by Sergey Bronnikov. #1054
>
> (cherry picked from commit 309fb42b871b6414f53e0e0e708bce0b0d62daff)
>
> The following Lua snippet triggers an out of boundary access to a stack:
>
> ```lua
> a, b, c = 1, 2, 3
> local d
> for _ in nil do end
> ```
>
> With execution snippet by LuaJIT instrumented by ASAN it leads to
> a heap-buffer-overflow.
>
> In a function `predict_next` variable `exprpc` looks forward and expects
> extra bytecodes on the stack. However, `KPRI` is merged to the `KNIL`
> and there is no new bytecode to add, so `exprpc == fs->bclim` and it
> leads to out of boundary access.
>
> Sergey Bronnikov:
> * added the description and the test for the problem
>
> Part of tarantool/tarantool#8825
> ---
>
> PR: https://github.com/tarantool/tarantool/pull/9054
> Branch: https://github.com/tarantool/luajit/tree/ligurio/lj-1054-incorrect-pc-value-predict_next
> Related issue:
> * https://github.com/LuaJIT/LuaJIT/issues/1054
>
> src/lj_parse.c | 4 +++-
> ...incorrect-pc-value-in-predict_next.test.lua | 18 ++++++++++++++++++
> 2 files changed, 21 insertions(+), 1 deletion(-)
> create mode 100644 test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua
>
<snipped>
> --
> 2.34.1
>
--
Best regards,
IM
More information about the Tarantool-patches
mailing list