From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 4B76E13E7FA8; Fri, 6 Jun 2025 13:44:29 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 4B76E13E7FA8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1749206669; bh=8ndnoY70aHd57z/auB38Mn/BJuWCxHw0cbmZcUlFApA=; h=Date:To:Cc:References:In-Reply-To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=kyymgjxHgVMgr9S4GFpS7c5k8v2V9lu4vtyOBXgkd0ZUndAnnTmBL4TlJWXYryKsa 1QbATJQbIoz4nreGM5zPRWyguQV1uu2APm+49YRr0CPoEEpNVdoScRUlt7FDzL5vBU 9A9Qkc0AR5iHrEQy3ct0yeK/Qxf1rXyxMfUKvsWk= Received: from send126.i.mail.ru (send126.i.mail.ru [89.221.237.221]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 55E9E13E7FA8 for ; Fri, 6 Jun 2025 13:44:28 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 55E9E13E7FA8 Received: by exim-smtp-567cc788d4-xvc58 with esmtpa (envelope-from ) id 1uNUYl-000000004XK-0Gky; Fri, 06 Jun 2025 13:44:27 +0300 Content-Type: multipart/alternative; boundary="------------e1FTHpHlbR7tLNoeoDpp0G2B" Message-ID: <4a506633-c1ae-41ba-8e3f-1c580303f7d4@tarantool.org> Date: Fri, 6 Jun 2025 13:44:26 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org References: <20250605094105.21923-1-skaplun@tarantool.org> In-Reply-To: <20250605094105.21923-1-skaplun@tarantool.org> X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD95E97EA1894635BC31BE8A790641182B8F470977110FD5FFD182A05F5380850408D5014C471C9F15D3DE06ABAFEAF6705EF751C2CFFC5C7B802FF86CA225BBBB1A938C1B4F21A4609 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7B9115C1E69829868EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637AC83A81C8FD4AD23D82A6BABE6F325AC2E85FA5F3EDFCBAA7353EFBB5533756680FD86C7FE90CFE5DF555318A2E0DCF1D17C3342DA2DB1C4F5964D88D7C46202389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C07E7E81EEA8A9722B8941B15DA834481FCF19DD082D7633A0EF3E4896CB9E6436389733CBF5DBD5E9D5E8D9A59859A8B6957A4DEDD2346B42CC7F00164DA146DA6F5DAA56C3B73B237318B6A418E8EAB8D32BA5DBAC0009BE9E8FC8737B5C2249B899183D4666AAE776E601842F6C81A12EF20D2F80756B5FB606B96278B59C4276E601842F6C81A127C277FBC8AE2E8B89C074F960B19C4B3AA81AA40904B5D99C9F4D5AE37F343AD1F44FA8B9022EA23BBE47FD9DD3FB595F5C1EE8F4F765FC72CEEB2601E22B093A03B725D353964B0B7D0EA88DDEDAC722CA9DD8327EE4930A3850AC1BE2E735DD0078234547CCE7C4224003CC83647689D4C264860C145E X-C1DE0DAB: 0D63561A33F958A5B5B324E34FAF62D65002B1117B3ED696F5A9604BDFE64D4C715D9AB585B0EB04823CB91A9FED034534781492E4B8EEAD220496FFA5CD4785BDAD6C7F3747799A X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742424CF958EAFF5D571004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D34F7CC4EA888783AE0F6DCE41908B3152CDBD0AA4D7B426657BE7E9348A414D1F6D0D7449107E4668E1D7E09C32AA3244C4A49030A1890D33177DD89D51EBB774261A3329B5DC5C139EA455F16B58544A2E30DDF7C44BCB90DA5AE236DF995FB59978A700BF655EAEEED6A17656DB59BCAD427812AF56FC65B X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVSykAyseJQ6/kkjKwps5gCo= X-Mailru-Sender: 520A125C2F17F0B1E52FEF5D219D6140471A64C755EE7073D4FF92D56319F197D51D790830BEA59A0152A3D17938EB451EB5A0BCEC6A560B3DDE9B364B0DF289BE2DA36745F2EEB5CEBA01FB949A1F1EEAB4BC95F72C04283CDA0F3B3F5B9367 X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit] Fix JIT slot overflow during up-recursion. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Bronnikov via Tarantool-patches Reply-To: Sergey Bronnikov Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" This is a multi-part message in MIME format. --------------e1FTHpHlbR7tLNoeoDpp0G2B Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hello, Sergey, thanks for the patch! LGTM with minor comment below. Sergey On 6/5/25 12:41, Sergey Kaplun wrote: > From: Mike Pall > > Reported by Sergey Kaplun. > > (cherry picked from commit 048972dbfdb6b441fe8a9bfe4d1f048966579ba8) > > In the case when LuaJIT is recording the side trace after the > up-recursion call, there is no check that the updated `maxslot` value > doesn't overflow the `LJ_MAX_JSLOTS` limit. If it records several huge > returns in a row, the overflow of the aforementioned limit may occur. > This triggers an assertion failure in `rec_check_slots()`. > > This patch fixes it by adding the corresponding check in the > `lj_record_ret()`. > > Sergey Kaplun: > * added the description and the test for the problem > > Part of tarantool/tarantool#11278 Please add a "Closes tarantool/security#145". > --- > Branch:https://github.com/tarantool/luajit/tree/skaplun/lj-1358-jslot-overflow-uprecursion > Related issues: > *https://github.com/tarantool/tarantool/issues/11278 > *https://github.com/LuaJIT/LuaJIT/issues/1358 Also https://github.com/tarantool/security/issues/145. --------------e1FTHpHlbR7tLNoeoDpp0G2B Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

Hello, Sergey,

thanks for the patch!

LGTM with minor comment below.

Sergey

On 6/5/25 12:41, Sergey Kaplun wrote:
From: Mike Pall <mike>

Reported by Sergey Kaplun.

(cherry picked from commit 048972dbfdb6b441fe8a9bfe4d1f048966579ba8)

In the case when LuaJIT is recording the side trace after the
up-recursion call, there is no check that the updated `maxslot` value
doesn't overflow the `LJ_MAX_JSLOTS` limit. If it records several huge
returns in a row, the overflow of the aforementioned limit may occur.
This triggers an assertion failure in `rec_check_slots()`.

This patch fixes it by adding the corresponding check in the
`lj_record_ret()`.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#11278
Please add a "Closes tarantool/security#145".
---
Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1358-jslot-overflow-uprecursion
Related issues:
* https://github.com/tarantool/tarantool/issues/11278
* https://github.com/LuaJIT/LuaJIT/issues/1358

Also https://github.com/tarantool/security/issues/145.


<snipped>


--------------e1FTHpHlbR7tLNoeoDpp0G2B--