From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 60B095BC4B2; Tue, 29 Aug 2023 14:09:23 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 60B095BC4B2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1693307363; bh=EXppr0sa4V3CGor4xzZFz2Jl/6HGttLiUsSQwnOgQqc=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=Il3nkFYWMK9W54lLQlodMg5PBvZq76pHPPdpV4mSr4WYCHufssqfyiHSKEf29AZQD v6Yv1NlaQ4sfa9YJplo51inu3yiKhs6iQLGlYDL6OEEkGrWAzIilNEQ6fdUwhOQwVn EbXPWF1udo/fIoxG07eN6Dc7mSKDwAAz3HrYw0Pk= Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com [209.85.218.54]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 9A7715BC4B2 for ; Tue, 29 Aug 2023 14:09:21 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 9A7715BC4B2 Received: by mail-ej1-f54.google.com with SMTP id a640c23a62f3a-99bcfe28909so546342666b.3 for ; Tue, 29 Aug 2023 04:09:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693307360; x=1693912160; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qn/hXUTW8+e1E2Uxpeq+nSyJWN5oyffT9XSr+5xC82w=; b=C7qJ6eYxrGgsw5FnkV4vb0VXi3Dag4o77X54nwtgWvt57uZ9UOZMMbr1hbih62/56J T/4enyaMYPofQbtoyNPbbR1iPrygkCPlCUAkVlYwm8dZxgFpnW+q0n/5b6bwGUiH4gNG /20i8IsUbUWjNECqROpK7NVHjFtRuCLN5Pow/SfPiyetxi2Ct5++lERJ2ZKzvfeDimQ+ SOKttMGn4DnviK4ElQHzMXFFW6DkU9biYn/RyDX1h6/5pCm7rO/RvG67D8VBoNPQpyJQ BjHWIhOslxphgeHwbbtalzcrmjqSY86+gnLEUouJW4LTmtxPoRF9bSQ4YlhBlZs9wGQU Xegw== X-Gm-Message-State: AOJu0YxsngomaUkDFA2arJ7Z43Nj1PnHjxT098bAV00EBgl/jll3Mm54 o13YdR7fk6MS5bRo/LpE0tno3Fi8x8k= X-Google-Smtp-Source: AGHT+IGLO1zYORTgzSsp4JInAuIr3i2lV/enb6d6P4vOY/SWfU2JSXpfvFns6rxpYy3bmHfMYliP2A== X-Received: by 2002:a17:906:5d:b0:9a5:846d:d823 with SMTP id 29-20020a170906005d00b009a5846dd823mr9297391ejg.45.1693307360196; Tue, 29 Aug 2023 04:09:20 -0700 (PDT) Received: from pony.. ([185.6.247.97]) by smtp.gmail.com with ESMTPSA id jj26-20020a170907985a00b0099bd86f9248sm5828027ejc.63.2023.08.29.04.09.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Aug 2023 04:09:19 -0700 (PDT) To: tarantool-patches@dev.tarantool.org, Sergey Kaplun , max.kokryashkin@gmail.com Date: Tue, 29 Aug 2023 13:42:40 +0300 Message-Id: <8b2d744f68eb138c2b2c37e1ac851181e303b485.1693305720.git.sergeyb@tarantool.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [Tarantool-patches] [PATCH luajit] Fix predict_next() in parser (again). X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Bronnikov via Tarantool-patches Reply-To: Sergey Bronnikov Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: sergeyb@tarantool.org Reported by Sergey Bronnikov. #1054 (cherry picked from commit 309fb42b871b6414f53e0e0e708bce0b0d62daff) The following Lua snippet triggers an out of boundary access to a stack: ```lua a, b, c = 1, 2, 3 local d for _ in nil do end ``` With execution snippet by LuaJIT instrumented by ASAN it leads to a heap-buffer-overflow. In a function `predict_next` variable `exprpc` looks forward and expects extra bytecodes on the stack. However, `KPRI` is merged to the `KNIL` and there is no new bytecode to add, so `exprpc == fs->bclim` and it leads to out of boundary access. Sergey Bronnikov: * added the description and the test for the problem Part of tarantool/tarantool#8825 --- PR: https://github.com/tarantool/tarantool/pull/9054 Branch: https://github.com/tarantool/luajit/tree/ligurio/lj-1054-incorrect-pc-value-predict_next Related issue: * https://github.com/LuaJIT/LuaJIT/issues/1054 src/lj_parse.c | 4 +++- ...incorrect-pc-value-in-predict_next.test.lua | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua diff --git a/src/lj_parse.c b/src/lj_parse.c index 343fa797..f1015960 100644 --- a/src/lj_parse.c +++ b/src/lj_parse.c @@ -2511,9 +2511,11 @@ static void parse_for_num(LexState *ls, GCstr *varname, BCLine line) */ static int predict_next(LexState *ls, FuncState *fs, BCPos pc) { - BCIns ins = fs->bcbase[pc].ins; + BCIns ins; GCstr *name; cTValue *o; + if (pc >= fs->bclim) return 0; + ins = fs->bcbase[pc].ins; switch (bc_op(ins)) { case BC_MOV: name = gco2str(gcref(var_get(ls, fs, bc_d(ins)).name)); diff --git a/test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua b/test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua new file mode 100644 index 00000000..17f1b994 --- /dev/null +++ b/test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua @@ -0,0 +1,18 @@ +local tap = require('tap') +local test = tap.test('lj-1054-incorrect-pc-value-in-predict_next') +test:plan(1) + + +-- The test demonstrates a problem with out of boundary access to a stack. +-- Sample executed in LuaJIT instrumented by ASAN leads to +-- a heap-buffer-overflow. +-- See also https://github.com/LuaJIT/LuaJIT/issues/528 +local lua_code = [[ +a, b, c = 1, 2, 3 +local d +for _ in nil do end +]] + +test:ok(loadstring(lua_code), 'parsing is correct') + +test:done(true) -- 2.34.1