From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id A3872A022C3; Thu, 1 Feb 2024 13:57:35 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org A3872A022C3 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1706785055; bh=KExKwFcN5dw95D1Md4drJPmBdg+NTK9NZA0gJP6I1bM=; h=Date:To:Cc:References:In-Reply-To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=O4yDFHv+cXLJGbighS4UZvYy/+oHnLRUzFM7m5CD43zBc3qMPLqn8nj6hDcCSfZzX A0LUYlFDCbOfRF0tCHh74DIimYaBsOeF+qPSYEDj2oRiu+hGTy46k2CdSPnWRKfcSV +BcLftflnMJyzFrJdUzO35hJ1FwbTsvpLHtVThkk= Received: from smtp45.i.mail.ru (smtp45.i.mail.ru [95.163.41.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 15D5C6C3D65 for ; Thu, 1 Feb 2024 13:57:35 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 15D5C6C3D65 Received: by smtp45.i.mail.ru with esmtpa (envelope-from ) id 1rVUlC-00000004Eak-0im5; Thu, 01 Feb 2024 13:57:34 +0300 Message-ID: <4edc42cc-953a-4d97-b66f-67c0bff5fa03@tarantool.org> Date: Thu, 1 Feb 2024 13:57:33 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Sergey Kaplun , Maxim Kokryashkin Cc: tarantool-patches@dev.tarantool.org References: <20240130150437.17133-1-skaplun@tarantool.org> In-Reply-To: <20240130150437.17133-1-skaplun@tarantool.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD9A3FCF9DB4FFE0955989D0D03A8568AF7C06CDD26FFB83D83182A05F538085040BDE26A5B530776F3D4FF92D56319F197BEB51885086F03BF3F4BF81748F1BCA363644CC1B0E3E507 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE768D1C4AD116E0413EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F79006370CE4B4B08BC34B6C8638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D88DF9BD42A9289DFE781599963120E8B29600D6E060804D74CC7F00164DA146DAFE8445B8C89999728AA50765F79006370BDB19F53EE528DD389733CBF5DBD5E9C8A9BA7A39EFB766F5D81C698A659EA7CC7F00164DA146DA9985D098DBDEAEC821E93C0F2A571C7BF6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA73AA81AA40904B5D9A18204E546F3947C2A336C6518635091040F9FF01DFDA4A84AD6D5ED66289B523666184CF4C3C14F6136E347CC761E07725E5C173C3A84C31E0E32024825AD8BBA3038C0950A5D36B5C8C57E37DE458B330BD67F2E7D9AF16D1867E19FE14079C09775C1D3CA48CFE478A468B35FE7671DD303D21008E298D5E8D9A59859A8B6B372FE9A2E580EFC725E5C173C3A84C33EA60AFABC492F3035872C767BF85DA2F004C90652538430E4A6367B16DE6309 X-C1DE0DAB: 0D63561A33F958A5BDD8BA705F30CF9D5002B1117B3ED6969157F12D612F7503FB820E9FE7BD014C823CB91A9FED034534781492E4B8EEAD11471C67CF6D96D5BDAD6C7F3747799A X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF3FED46C3ACD6F73ED3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CF3A20539DB323970EDEDBDF8DE3ECBB7C7B17F57DD173FA6ACF3A750B89693FF417C141E43CE0FC0BBAF4CF3B87E910B199182A37528330BF58918BD90B5C07325250ED309D48A6025F4332CA8FE04980913E6812662D5F2AB9AF64DB4688768036DF5FE9C0001AF333F2C28C22F508233FCF178C6DD14203 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojqJaWtPsRtymv/TaM+5HImQ== X-Mailru-Sender: C4F68CFF4024C8867DFDF7C7F258845801E791CC961DAEB61F93A76BF6F7B0A6D4A035A3AB43E5C90FF98CD06CA92712645D15D82EE4B272BD6E4642A116CA93524AA66B5ACBE6721EF430B9A63E2A504198E0F3ECE9B5443453F38A29522196 X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit] Fix zero stripping in %g number formatting. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Bronnikov via Tarantool-patches Reply-To: Sergey Bronnikov Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" Hi, Sergey thanks for the patch! LGTM On 1/30/24 18:04, Sergey Kaplun wrote: > From: Mike Pall > > Reported by pwnhacker0x18. > > (cherry picked from commit 343ce0edaf3906a62022936175b2f5410024cbfc) > > In the situation when the precision (`prec`) and amount of digits > (`hilen`) for the decimal representation are the same and `ndhi` == 0, > the `ndlo` part will become 64 (the size of the `nd` stack buffer), and > the overflow occurs. > > This patch adds the corresponding mask (0x3f == 63) for the `ndlo` > incrementation result. > > Sergey Kaplun: > * added the description and the test for the problem > > Part of tarantool/tarantool#9595 > --- > > Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1149-g-number-formating > Tarantool PR: https://github.com/tarantool/tarantool/pull/9633 > > The test fails on M1 with the > timeout (see the example [1]). This fail is patch-unrelated, since I've > obscured this failure even for the branch without sources changes (tests > only). > > Related Issues: > * https://github.com/LuaJIT/LuaJIT/issues/1149 > * https://github.com/tarantool/tarantool/issues/9595 > > [1]: https://github.com/tarantool/luajit/actions/runs/7712549489/job/21020513973#step:8:5522 > > Duration of failed tests (seconds): > * 60.54 app-tap/gh-2717-no-quit-sigint.test.lua > > src/lj_strfmt_num.c | 3 ++- > .../lj-1149-g-number-formating-bufov.test.lua | 20 +++++++++++++++++++ > 2 files changed, 22 insertions(+), 1 deletion(-) > create mode 100644 test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua > > diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c > index c26204b7..c8d9febf 100644 > --- a/src/lj_strfmt_num.c > +++ b/src/lj_strfmt_num.c > @@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p) > prec--; > if (!i) { > if (ndlo == ndhi) { prec = 0; break; } > - lj_strfmt_wuint9(tail, nd[++ndlo]); > + ndlo = (ndlo + 1) & 0x3f; > + lj_strfmt_wuint9(tail, nd[ndlo]); > i = 9; > } > } > diff --git a/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua b/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua > new file mode 100644 > index 00000000..040fd5de > --- /dev/null > +++ b/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua > @@ -0,0 +1,20 @@ > +local tap = require('tap') > + > +-- Test file to demonstrate stack-buffer-overflow in the > +-- `lj_strfmt_wfnum()` call. > +-- See also: https://github.com/LuaJIT/LuaJIT/issues/1149. > + > +local test = tap.test('lj-1149-g-number-formating-bufov') > +test:plan(1) > + > +-- XXX: The test shows stack-buffer-overflow only under ASAN. > +-- The number value for the test is with the same precision > +-- (`prec` = 5) and amount of digits (`hilen` = 5) for the decimal > +-- representation. Hence, with `ndhi` == 0, the `ndlo` part will > +-- become 64 (the size of the `nd` stack buffer), and the overflow > +-- occurs. > +-- See details in the :`lj_strfmt_wfnum()`. > +test:is(string.format('%7g', 0x1.144399609d407p+401), '5.5733e+120', > + 'correct format %7g result') > + > +test:done(true)