From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id D276A9DD9B2; Tue, 30 Jan 2024 18:08:34 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org D276A9DD9B2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1706627314; bh=s71kEGdWrUwv+C8PNuJc/KoVKCTGD76rNAMcj0MAUuk=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=BRzuHLNGKmhomVyjosKRYLmoqP/2bzL1y4uVph+ZLkBpnoHMwTm7zUK91Vq7SR/kE UNsrmQzDoMzD2Ozpq5mS69FPKvJSRiWyQmqoWW9ZG06dS/FH3QBZBwewJkTLjqi62r 5/uWqm6GCFFG9T76adAbWvqteorhqRxN8n0lvJFk= Received: from smtp16.i.mail.ru (smtp16.i.mail.ru [95.163.41.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id B8D0C7346C1 for ; Tue, 30 Jan 2024 18:08:32 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org B8D0C7346C1 Received: by smtp16.i.mail.ru with esmtpa (envelope-from ) id 1rUpix-00000009nmx-2rPF; Tue, 30 Jan 2024 18:08:32 +0300 To: Maxim Kokryashkin , Sergey Bronnikov Date: Tue, 30 Jan 2024 18:04:37 +0300 Message-ID: <20240130150437.17133-1-skaplun@tarantool.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailru-Src: smtp X-7564579A: EEAE043A70213CC8 X-77F55803: 4F1203BC0FB41BD93C58C36AA2E99649913F598E3EEE18285DA7E33959698359182A05F5380850404C228DA9ACA6FE273C15FF878184C5565D1BE6A8D71B10A5FD9ABB8A7D5426CF38CD1497D49BAB10B6A098A45AF874EE X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7A20935EE237A17ECEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637325F50A45595CD878638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D87D5CF845F65AE197E12E2F06CC43482613999023D85C0BC6CC7F00164DA146DAFE8445B8C89999728AA50765F7900637B18CEC08E50EEB57389733CBF5DBD5E9C8A9BA7A39EFB766F5D81C698A659EA7CC7F00164DA146DA9985D098DBDEAEC87AE820D2C17D0E56F6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA7E827F84554CEF5019E625A9149C048EE33AC447995A7AD182BEBFE083D3B9BA73A03B725D353964B0B7D0EA88DDEDAC722CA9DD8327EE4930A3850AC1BE2E735D05AD665AB97B35DC4224003CC83647689D4C264860C145E X-87b9d050: 1 X-C1DE0DAB: 0D63561A33F958A5E62984E914C022805002B1117B3ED696D5BD0D02DB6200FEED71F038FC046993823CB91A9FED034534781492E4B8EEADFB12F4B11BB5604FC79554A2A72441328621D336A7BC284946AD531847A6065A535571D14F44ED41 X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF77DD89D51EBB7742D3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CF3D6529AA869ECBDF989E817743773221D59A313CCEE4BA69BF776CBC03E12B59A703FE8D8B5282218FB01E7B8BF01A69F48E5CB251397F082474B4335973C69CDC030A034F431A4FC226CC413062362A913E6812662D5F2A5EAB5682573093F7837F15F2B5E4A70B33F2C28C22F508233FCF178C6DD14203 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojHUK3TkZYwr+IRpdjuHjOxg== X-DA7885C5: F4715D3E64CD0C64F255D290C0D534F9BBE7A116E7BA4E41B94909D74B743CC8F8734F193E9DB8DE5B1A4C17EAA7BC4BEF2421ABFA55128DAF83EF9164C44C7E X-Mailru-Sender: 689FA8AB762F7393590D8C940224AE3365FADE07EA2B4BBD40DB55470698C0153BE4D4A41490914CE49D44BB4BD9522A059A1ED8796F048DB274557F927329BE89D5A3BC2B10C37545BD1C3CC395C826B4A721A3011E896F X-Mras: Ok Subject: [Tarantool-patches] [PATCH luajit] Fix zero stripping in %g number formatting. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Kaplun via Tarantool-patches Reply-To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: Mike Pall Reported by pwnhacker0x18. (cherry picked from commit 343ce0edaf3906a62022936175b2f5410024cbfc) In the situation when the precision (`prec`) and amount of digits (`hilen`) for the decimal representation are the same and `ndhi` == 0, the `ndlo` part will become 64 (the size of the `nd` stack buffer), and the overflow occurs. This patch adds the corresponding mask (0x3f == 63) for the `ndlo` incrementation result. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#9595 --- Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1149-g-number-formating Tarantool PR: https://github.com/tarantool/tarantool/pull/9633 The test fails on M1 with the timeout (see the example [1]). This fail is patch-unrelated, since I've obscured this failure even for the branch without sources changes (tests only). Related Issues: * https://github.com/LuaJIT/LuaJIT/issues/1149 * https://github.com/tarantool/tarantool/issues/9595 [1]: https://github.com/tarantool/luajit/actions/runs/7712549489/job/21020513973#step:8:5522 Duration of failed tests (seconds): * 60.54 app-tap/gh-2717-no-quit-sigint.test.lua src/lj_strfmt_num.c | 3 ++- .../lj-1149-g-number-formating-bufov.test.lua | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c index c26204b7..c8d9febf 100644 --- a/src/lj_strfmt_num.c +++ b/src/lj_strfmt_num.c @@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p) prec--; if (!i) { if (ndlo == ndhi) { prec = 0; break; } - lj_strfmt_wuint9(tail, nd[++ndlo]); + ndlo = (ndlo + 1) & 0x3f; + lj_strfmt_wuint9(tail, nd[ndlo]); i = 9; } } diff --git a/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua b/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua new file mode 100644 index 00000000..040fd5de --- /dev/null +++ b/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua @@ -0,0 +1,20 @@ +local tap = require('tap') + +-- Test file to demonstrate stack-buffer-overflow in the +-- `lj_strfmt_wfnum()` call. +-- See also: https://github.com/LuaJIT/LuaJIT/issues/1149. + +local test = tap.test('lj-1149-g-number-formating-bufov') +test:plan(1) + +-- XXX: The test shows stack-buffer-overflow only under ASAN. +-- The number value for the test is with the same precision +-- (`prec` = 5) and amount of digits (`hilen` = 5) for the decimal +-- representation. Hence, with `ndhi` == 0, the `ndlo` part will +-- become 64 (the size of the `nd` stack buffer), and the overflow +-- occurs. +-- See details in the :`lj_strfmt_wfnum()`. +test:is(string.format('%7g', 0x1.144399609d407p+401), '5.5733e+120', + 'correct format %7g result') + +test:done(true) -- 2.43.0