From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 2845E482870; Wed, 27 Sep 2023 15:54:57 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 2845E482870 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1695819297; bh=GjkQbHtyGBTp+fynt8SFX7gCe1x3TB67BI9bMG4G7yY=; h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=YS86Q2SkMt/MfQ8pULklevTrOkSzo+VAm8jvOB/SWaxrrvf1ERFEFDx1OtF/7qCCY TOIShDr/IAbrkXYqr1SO+2kr5v7MRO/KtpZHHYknC5xmWRv0CYJmyL65ZknaFxKpdK DhuWIp7XUQ24qQQV8UHVs3yWJPHuyGTxK4mfpj4Y= Received: from smtp45.i.mail.ru (smtp45.i.mail.ru [95.163.41.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 9849E482870 for ; Wed, 27 Sep 2023 15:54:38 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 9849E482870 Received: by smtp45.i.mail.ru with esmtpa (envelope-from ) id 1qlU3p-00F83B-2p; Wed, 27 Sep 2023 15:54:38 +0300 Date: Wed, 27 Sep 2023 12:33:15 +0000 To: Sergey Bronnikov Message-ID: References: <8b2d744f68eb138c2b2c37e1ac851181e303b485.1693305720.git.sergeyb@tarantool.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <8b2d744f68eb138c2b2c37e1ac851181e303b485.1693305720.git.sergeyb@tarantool.org> X-Clacks-Overhead: GNU Terry Pratchett X-Mailru-Src: smtp X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD9635F647A8D3EE72C0591D95213BBB83F1E68B1C55902BA58182A05F538085040DD0F73F61A0C7D798D17D5E773BC8CFF8B149E220E730551501D7EB287E8AA45 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE73A0E02362971E860EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F790063771C846A5973DEE7E8638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D88395809CC94F8FA8DD629479236E605F117882F4460429724CE54428C33FAD305F5C1EE8F4F765FCF80095D1E57F4578A471835C12D1D9774AD6D5ED66289B52BA9C0B312567BB23117882F446042972877693876707352033AC447995A7AD186FD1C55BDD38FC3FD2E47CDBA5A96583BA9C0B312567BB2376E601842F6C81A19E625A9149C048EE0AC5B80A05675ACD4D0DA9BD313A0613D8FC6C240DEA76429C9F4D5AE37F343AA9539A8B242431040A6AB1C7CE11FEE3F8BD4E506CFA3D882D242C3BD2E3F4C6C4224003CC836476E2F48590F00D11D6E2021AF6380DFAD1A18204E546F3947CB11811A4A51E3B096D1867E19FE1407959CC434672EE6371089D37D7C0E48F6C8AA50765F7900637BF1C901A33650803EFF80C71ABB335746BA297DBC24807EABDAD6C7F3747799A X-C1DE0DAB: 0D63561A33F958A5FC05B4298638695240247C7D64625D70897F5DAB0EDFE483F87CCE6106E1FC07E67D4AC08A07B9B0A6C7FFFE744CA7FBCB5012B2E24CD356 X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742DC8270968E61249B1004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D34AC632F0BE69382F370B76AF2BBA747A787562F52D182723D77C20A1264AC8CF742D304E5D55E73141D7E09C32AA3244C9EC497943D71DCC81A1E82A0F9A327FB8894E9C85370243EBAD658CF5C8AB4025DA084F8E80FEBD376A4ED3E9341DC2FCD72808BE417F3B9E0E7457915DAA85F X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojTKVCr97n33Vqpn0L3nixxw== X-Mailru-Sender: 2FEBA92C8E508479FE7B9A1DF348D531B843E021EF7B0BF7AE9C30B9A8A20A9DB8DD0191BD683AA62326FE6F2A341ACE0FB9F97486540B4CD9E8847AB8CFED4D9ABF8A61C016C2CFB0DAF586E7D11B3E67EA787935ED9F1B X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit] Fix predict_next() in parser (again). X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Igor Munkin via Tarantool-patches Reply-To: Igor Munkin Cc: max.kokryashkin@gmail.com, tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" Sergey, I've checked the patchset into all long-term branches in tarantool/luajit and bumped a new version in master, release/2.11 and release/2.10. On 29.08.23, Sergey Bronnikov via Tarantool-patches wrote: > From: sergeyb@tarantool.org > > Reported by Sergey Bronnikov. #1054 > > (cherry picked from commit 309fb42b871b6414f53e0e0e708bce0b0d62daff) > > The following Lua snippet triggers an out of boundary access to a stack: > > ```lua > a, b, c = 1, 2, 3 > local d > for _ in nil do end > ``` > > With execution snippet by LuaJIT instrumented by ASAN it leads to > a heap-buffer-overflow. > > In a function `predict_next` variable `exprpc` looks forward and expects > extra bytecodes on the stack. However, `KPRI` is merged to the `KNIL` > and there is no new bytecode to add, so `exprpc == fs->bclim` and it > leads to out of boundary access. > > Sergey Bronnikov: > * added the description and the test for the problem > > Part of tarantool/tarantool#8825 > --- > > PR: https://github.com/tarantool/tarantool/pull/9054 > Branch: https://github.com/tarantool/luajit/tree/ligurio/lj-1054-incorrect-pc-value-predict_next > Related issue: > * https://github.com/LuaJIT/LuaJIT/issues/1054 > > src/lj_parse.c | 4 +++- > ...incorrect-pc-value-in-predict_next.test.lua | 18 ++++++++++++++++++ > 2 files changed, 21 insertions(+), 1 deletion(-) > create mode 100644 test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua > > -- > 2.34.1 > -- Best regards, IM