From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id ABBD4C7DBEC; Wed, 28 Aug 2024 08:46:10 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org ABBD4C7DBEC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1724823970; bh=v6AbXB4OvytPZIVCNdk5EuZY0gos9l6D/mq8b3nJX1c=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=u+XhqX9MGvh+W+613iusIus8J8dkZXrFp3ARIDFcOIY3anxS7fFPEs4TZgPSHAmZj LwA8nl+Ocyuu8PTb6FCs828MfS5ykQCdmwdfsAPgF9/qoZ0znxt5e+xwufLtVxHd3d 8MYCgzpcQ/oekjNH4iMNrQFJfFEH8ue5C/P5OwuE= Received: from smtp33.i.mail.ru (smtp33.i.mail.ru [95.163.41.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id B7D00C7DBEC for ; Wed, 28 Aug 2024 08:46:09 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org B7D00C7DBEC Received: by smtp33.i.mail.ru with esmtpa (envelope-from ) id 1sjBVQ-00000007a4A-20HO; Wed, 28 Aug 2024 08:46:08 +0300 To: Maxim Kokryashkin , Sergey Bronnikov Date: Mon, 26 Aug 2024 15:37:40 +0300 Message-ID: <20240826123740.12759-1-skaplun@tarantool.org> X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailru-Src: smtp X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD9ADC42675AEA51BDEA73C35030685CCDD99A425C771970DA1182A05F538085040E69FE3BB19741BD091417EB218679B82A00124472ED2C2F3B2B1D8BA36DD75C0EFDB812A93E8900B X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7922E451CE6E839B1EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F79006379DD36AEE1577869F8638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D8CD8C978FE4D0C373C892F8C4909E9D3471B1E0045FC1C5B4CC7F00164DA146DAFE8445B8C89999728AA50765F7900637DCE3DBD6F8E38AFD389733CBF5DBD5E9C8A9BA7A39EFB766F5D81C698A659EA7CC7F00164DA146DA9985D098DBDEAEC87AE820D2C17D0E56F6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA7E827F84554CEF5019E625A9149C048EE9ECD01F8117BC8BEE2021AF6380DFAD18AA50765F790063735872C767BF85DA227C277FBC8AE2E8BB07C9E286C61B7F975ECD9A6C639B01B4E70A05D1297E1BBCB5012B2E24CD356 X-C1DE0DAB: 0D63561A33F958A55098016F6B3E1EA25002B1117B3ED696AB46CE9EE27EF558E20DC3F561CE4150823CB91A9FED034534781492E4B8EEADF12279BA039A6965C79554A2A72441328621D336A7BC284946AD531847A6065A535571D14F44ED41 X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF77DD89D51EBB7742D3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CFC21C507C250431CC4E43EF2E6EAFFE8FFD096F8B9411BC9A7D515CB3D63B8FDC4A7F0923522A066EF8F9848C95C03619AFBA98E7377D0F1CCC587E315984D02E073F73A2DFEFEF20C226CC413062362A913E6812662D5F2A5EAB5682573093F7837F15F2B5E4A70B33F2C28C22F508233FCF178C6DD14203 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2bioj7xLnco6ps4KLt0BZ97aO2w== X-DA7885C5: 522D3BF480EBCAC3F255D290C0D534F99E0157735D7242777B7FF2634733DE3CE701E84254AC20715B1A4C17EAA7BC4BEF2421ABFA55128DAF83EF9164C44C7E X-Mailru-Sender: 689FA8AB762F7393C6D0B12EA33CAA9BE12BC4C7B1B5D40D8271C65B761DAD527FEFD6EC7579A01CE49D44BB4BD9522A059A1ED8796F048DB274557F927329BE89D5A3BC2B10C37545BD1C3CC395C826B4A721A3011E896F X-Mras: Ok Subject: [Tarantool-patches] [PATCH luajit] Fix limit check in narrow_conv_backprop(). X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Kaplun via Tarantool-patches Reply-To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: Mike Pall Thanks to Sergey Kaplun. (cherry picked from commit e45fd4cb713b610506213692f3b55a1869febb03) `narrow_conv_backprop()` misses the stack pointer (`nc->sp`) limit check after a bunch of recursive calls that may change its value. As a result, it leads to stack-buffer-overflow during the instruction narrowing. This patch adds a missing check. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#10199 --- Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1262-fix-limit-narrow-conv-backprop Related issues: * https://github.com/tarantool/tarantool/issues/10199 * https://github.com/LuaJIT/LuaJIT/issues/1262 src/lj_opt_narrow.c | 3 +- ...62-fix-limit-narrow-conv-backprop.test.lua | 61 +++++++++++++++++++ 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 test/tarantool-tests/lj-1262-fix-limit-narrow-conv-backprop.test.lua diff --git a/src/lj_opt_narrow.c b/src/lj_opt_narrow.c index db0da10f..6b6f20d3 100644 --- a/src/lj_opt_narrow.c +++ b/src/lj_opt_narrow.c @@ -341,7 +341,8 @@ static int narrow_conv_backprop(NarrowConv *nc, IRRef ref, int depth) NarrowIns *savesp = nc->sp; int count = narrow_conv_backprop(nc, ir->op1, depth); count += narrow_conv_backprop(nc, ir->op2, depth); - if (count <= 1) { /* Limit total number of conversions. */ + /* Limit total number of conversions. */ + if (count <= 1 && nc->sp < nc->maxsp) { *nc->sp++ = NARROWINS(IRT(ir->o, nc->t), ref); return count; } diff --git a/test/tarantool-tests/lj-1262-fix-limit-narrow-conv-backprop.test.lua b/test/tarantool-tests/lj-1262-fix-limit-narrow-conv-backprop.test.lua new file mode 100644 index 00000000..6bb4025d --- /dev/null +++ b/test/tarantool-tests/lj-1262-fix-limit-narrow-conv-backprop.test.lua @@ -0,0 +1,61 @@ +local tap = require('tap') + +-- Test file to demonstrate stack-buffer-overflow during the +-- narrowing optimization. +-- See also: https://github.com/LuaJIT/LuaJIT/issues/1262. + +local test = tap.test('lj-1262-fix-limit-narrow-conv-backprop'):skipcond({ + ['Test requires JIT enabled'] = not jit.status(), +}) + +test:plan(1) + +-- XXX: Test fails only under ASAN. +-- XXX: The original reproducer was found by fuzzer: +-- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70779. +-- It creates a long side trace with a huge amount of ADD IRs, +-- which are recursively used in the `narrow_conv_backprop()` many +-- enough times to catch the stack-buffer-overflow. I can't +-- simplify the reproducer any more (or write it from scratch), so +-- I leave it in that state. + +local DEFAULT_NUMBER = 1 +local tonumber = tonumber + +local always_number = function(val) + return tonumber(val) or DEFAULT_NUMBER +end + +local add = function(v1, v2) + return always_number(v1) + always_number(v2) +end + +jit.opt.start('hotloop=1', 'hotexit=1') + +local counter_0 = 0 +local counter_1 = 0 +local counter_2 = 0 +local tmp = add(nil, 'Name') +local Name0 = add(tmp, 'Name') +-- Start a long side trace here. +for _ = 0, 0, 0 do + if counter_0 > 5 then break end + counter_0 = counter_0 + 1 + + for _ = always_number(false), 1, always_number(Name0) do + if counter_1 > 5 then break end + counter_1 = counter_1 + 1 + + repeat + if counter_2 > 5 then break end + counter_2 = counter_2 + 1 + + Name0 = Name0 + Name0 + Name0 + Name0 = add(Name0, nil) + Name0 + until nil + end +end + +test:ok(true, 'no stack-buffer-overflow during narrowing') + +test:done(true) -- 2.46.0