From: Sergey Kaplun via Tarantool-patches <tarantool-patches@dev.tarantool.org> To: Sergey Ostanevich <sergos@tarantool.org>, Maxim Kokryashkin <max.kokryashkin@gmail.com> Cc: tarantool-patches@dev.tarantool.org Subject: [Tarantool-patches] [PATCH luajit] Fix overflow check in unpack(). Date: Tue, 23 Aug 2022 11:06:59 +0300 [thread overview] Message-ID: <20220823080659.16880-1-skaplun@tarantool.org> (raw) From: Mike Pall <mike> Thanks to HybridDog. When build with optimization compiler may throw away overflow check in `unpack()` base library function. This patch prevents aforementioned error by comparing the unsigned amount of values to unpack with `LUAI_MAXCSTACK` instead of 0. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#7230 --- Issue/PR: * https://github.com/LuaJIT/LuaJIT/pull/574 * https://github.com/tarantool/tarantool/issues/7230 Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-574-overflow-unpack-full-ci PR: https://github.com/tarantool/tarantool/pull/7596 src/lib_base.c | 6 ++++-- test/tarantool-tests/lj-574-overflow-unpack.test.lua | 12 ++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 test/tarantool-tests/lj-574-overflow-unpack.test.lua diff --git a/src/lib_base.c b/src/lib_base.c index 613a1859..cf57b4f2 100644 --- a/src/lib_base.c +++ b/src/lib_base.c @@ -224,9 +224,11 @@ LJLIB_CF(unpack) int32_t n, i = lj_lib_optint(L, 2, 1); int32_t e = (L->base+3-1 < L->top && !tvisnil(L->base+3-1)) ? lj_lib_checkint(L, 3) : (int32_t)lj_tab_len(t); + uint32_t nu; if (i > e) return 0; - n = e - i + 1; - if (n <= 0 || !lua_checkstack(L, n)) + nu = (uint32_t)e - (uint32_t)i; + n = (int32_t)(nu+1); + if (nu >= LUAI_MAXCSTACK || !lua_checkstack(L, n)) lj_err_caller(L, LJ_ERR_UNPACK); do { cTValue *tv = lj_tab_getint(t, i); diff --git a/test/tarantool-tests/lj-574-overflow-unpack.test.lua b/test/tarantool-tests/lj-574-overflow-unpack.test.lua new file mode 100644 index 00000000..6715d947 --- /dev/null +++ b/test/tarantool-tests/lj-574-overflow-unpack.test.lua @@ -0,0 +1,12 @@ +local tap = require('tap') + +-- Test file to demonstrate integer overflow in the `unpack()` +-- function due to compiler optimization. +-- See also https://github.com/LuaJIT/LuaJIT/pull/574. +local test = tap.test('lj-574-overflow-unpack') +test:plan(1) + +local r, e = pcall(unpack, {}, 0, 2^31 - 1) +test:ok(not r and e == 'too many results to unpack', 'overflow check in unpack') + +os.exit(test:check() and 0 or 1) -- 2.34.1
next reply other threads:[~2022-08-23 8:09 UTC|newest] Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-08-23 8:06 Sergey Kaplun via Tarantool-patches [this message] 2022-08-23 11:03 ` sergos via Tarantool-patches 2022-08-23 13:38 ` Sergey Kaplun via Tarantool-patches 2022-09-06 13:47 ` Maxim Kokryashkin via Tarantool-patches 2022-09-07 11:56 ` Sergey Kaplun via Tarantool-patches 2022-09-07 12:00 ` Maxim Kokryashkin via Tarantool-patches 2022-11-11 8:54 ` Igor Munkin via Tarantool-patches
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220823080659.16880-1-skaplun@tarantool.org \ --to=tarantool-patches@dev.tarantool.org \ --cc=max.kokryashkin@gmail.com \ --cc=sergos@tarantool.org \ --cc=skaplun@tarantool.org \ --subject='Re: [Tarantool-patches] [PATCH luajit] Fix overflow check in unpack().' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox