From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id BBDF36EB727; Thu, 23 Nov 2023 09:36:47 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org BBDF36EB727 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1700721407; bh=SnM8Iafa1D/Bxmt5aKGnk3uyiyd3J1sr7uSwVW/yH7Q=; h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=tW8e3ND4JBa7log+0TpV4xw4Tf1ilN3XK8UetmOx+RIenvXWFzIlWSaj5J/7xzeK6 6FknXPCgTcCKDjlIf1Mw47ZcHWcOZSg5/Or0iW/PjT4+47QZx7Up+a4ZoYZikTSCqx wSdRllyVHTsa1zio9bl9qbnklXC9tdMwJGoOqBn8= Received: from smtp37.i.mail.ru (smtp37.i.mail.ru [95.163.41.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 0E5E06EB727 for ; Thu, 23 Nov 2023 09:35:26 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 0E5E06EB727 Received: by smtp37.i.mail.ru with esmtpa (envelope-from ) id 1r63J7-00EwSv-0W; Thu, 23 Nov 2023 09:35:25 +0300 Date: Thu, 23 Nov 2023 06:31:01 +0000 To: Sergey Kaplun Message-ID: References: <20231108084044.6654-1-skaplun@tarantool.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20231108084044.6654-1-skaplun@tarantool.org> X-Clacks-Overhead: GNU Terry Pratchett X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD92D71B79D2A671AE6841DCBDEF8A46A2F41DDB7EA50E3A76C182A05F5380850403721034D63E64B3FBFE3E450C711BC458D7440ECD1959638B8747650E15FD54B X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE76D34FAA3D8B31588C2099A533E45F2D0395957E7521B51C2CFCAF695D4D8E9FCEA1F7E6F0F101C6778DA827A17800CE723A0121E4B9CF535EA1F7E6F0F101C6723150C8DA25C47586E58E00D9D99D84E1BDDB23E98D2D38B73AB1701401CD8710DE0EF906E995774EECADE8058EC90FACC7F00164DA146DAFE8445B8C89999728AA50765F7900637BA939FD1B3BAB99B389733CBF5DBD5E9C8A9BA7A39EFB766F5D81C698A659EA7CC7F00164DA146DA9985D098DBDEAEC8C2B5EEE3591E0D35F6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA73AA81AA40904B5D9A18204E546F3947C0085B890FD2717DA6E0066C2D8992A164AD6D5ED66289B523666184CF4C3C14F6136E347CC761E07725E5C173C3A84C3EB76C46DA57105D6BA3038C0950A5D36B5C8C57E37DE458B330BD67F2E7D9AF16D1867E19FE14079C09775C1D3CA48CF4964A708C60C975A1DD303D21008E298D5E8D9A59859A8B6B372FE9A2E580EFC725E5C173C3A84C309BC2A87FC68FC48089D37D7C0E48F6C5571747095F342E88FB05168BE4CE3AF X-C1DE0DAB: 0D63561A33F958A53C49AB95751589B7CABCBD658D9A0A5ED0D457DF1C33BD57F87CCE6106E1FC07E67D4AC08A07B9B04B3849D6E5CCBAFDBDAD6C7F3747799A X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF3FED46C3ACD6F73ED3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CFFFFA6415DDC4AD457211820798E690068930CC4B1793D6CFD0EEA469735B3D5314625291CC5E48B96E159192F517E6712A15ADA9587DA08E4851C299D912083D461A413F07889F2102C26D483E81D6BEECAEF3E2CCC1ED8C383653B6C8D9AE0FD16FCAA6493B703A X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojOz05VK5QHNoKfEeYg6tFKQ== X-Mailru-Sender: 2FEBA92C8E508479FE7B9A1DF348D5311A0CF5E08F56F5DA6DF34425CA39FDCAE149678E31B8773C2326FE6F2A341ACE0FB9F97486540B4CD9E8847AB8CFED4D9ABF8A61C016C2CFB0DAF586E7D11B3E67EA787935ED9F1B X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit] FFI: Fix pragma push stack limit check and throw on overflow. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Igor Munkin via Tarantool-patches Reply-To: Igor Munkin Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" Sergey, I've checked the patchset into all long-term branches in tarantool/luajit and bumped a new version in master, release/2.11 and release/2.10. On 08.11.23, Sergey Kaplun wrote: > From: Mike Pall > > Reported by Sergey Kaplun. > > (cherry-picked from commit 433d7e8d8d182f44e88b5cfdc4b2d3026469dfb7) > > `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK` (7). Before > the patch, `cp->curpack` is checked to be less than > `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at > `cp->curpack + 1`, which is out of bounds, so `cp->curpack` value is > overwritten. > > This patch fixes a condition and also adds the error throw when counter > is overflow (instead of rewriting a top `cp->packstack` value). > > Sergey Kaplun: > * added the description and the test for the problem > > Resolves tarantool/tarantool#9339 > Part of tarantool/tarantool#9145 > --- > > Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1114-ffi-pragma-pack > Tarantool PR: https://github.com/tarantool/tarantool/pull/9342 > Relate issues: > * https://github.com/LuaJIT/LuaJIT/issues/1114 > * https://github.com/tarantool/tarantool/issues/9339 > * https://github.com/tarantool/tarantool/issues/9145 > > src/lj_cparse.c | 4 +- > .../lj-1114-ffi-pragma-pack.test.lua | 44 +++++++++++++++++++ > 2 files changed, 47 insertions(+), 1 deletion(-) > create mode 100644 test/tarantool-tests/lj-1114-ffi-pragma-pack.test.lua > > diff --git a/src/lj_cparse.c b/src/lj_cparse.c > index 6d9490ca..01deb3bf 100644 > --- a/src/lj_cparse.c > +++ b/src/lj_cparse.c > @@ -1777,9 +1777,11 @@ static void cp_pragma(CPState *cp, BCLine pragmaline) > cp_check(cp, '('); > if (cp->tok == CTOK_IDENT) { > if (cp_str_is(cp->str, "push")) { > - if (cp->curpack < CPARSE_MAX_PACKSTACK) { > + if (cp->curpack < CPARSE_MAX_PACKSTACK-1) { > cp->packstack[cp->curpack+1] = cp->packstack[cp->curpack]; > cp->curpack++; > + } else { > + cp_errmsg(cp, cp->tok, LJ_ERR_XLEVELS); > } > } else if (cp_str_is(cp->str, "pop")) { > if (cp->curpack > 0) cp->curpack--; > diff --git a/test/tarantool-tests/lj-1114-ffi-pragma-pack.test.lua b/test/tarantool-tests/lj-1114-ffi-pragma-pack.test.lua > new file mode 100644 > index 00000000..e5642828 > --- /dev/null > +++ b/test/tarantool-tests/lj-1114-ffi-pragma-pack.test.lua > @@ -0,0 +1,44 @@ > +local tap = require('tap') > + > +-- Test file to demonstrate LuaJIT incorrect parsing of `#pragma` > +-- directive via FFI. > +-- See also: https://github.com/LuaJIT/LuaJIT/issues/1114. > + > +local test = tap.test('lj-1114-ffi-pragma-pack') > +local ffi = require 'ffi' > + > +test:plan(2) > + > +-- `cp->packstack` is the array of size `CPARSE_MAX_PACKSTACK` > +-- (7). Before the patch, `cp->curpack` is checked to be less than > +-- `CPARSE_MAX_PACKSTACK`, but then `cp->packstack` is accessed at > +-- `cp->curpack + 1`, which is out of bounds, so `cp->curpack` > +-- value is overwritten. > +-- As a result, the incorrect pack value (1) is chosen after pop. > +-- After the patch, the error is thrown in the case of overflow > +-- (instead of rewriting the top pack slot value), so we use the > +-- wrapper to catch the error. > +local function ffi_cdef_wp() > + ffi.cdef[[ > + #pragma pack(push, 1) > + #pragma pack(push, 1) > + #pragma pack(push, 1) > + #pragma pack(push, 1) > + #pragma pack(push, 8) > + #pragma pack(push, 8) > + #pragma pack(push, 8) > + #pragma pack(pop) > + struct aligned_struct {uint64_t a; uint8_t b;}; > + ]] > + > + -- Got 9 in case of buffer overflow. > + return ffi.sizeof(ffi.new('struct aligned_struct')) > +end > + > +local err, msg = pcall(ffi_cdef_wp) > + > +test:ok(not err, 'the error is thrown when couner overflows') > +test:like(msg, 'chunk has too many syntax levels', > + 'the error message is correct') > + > +test:done(true) > -- > 2.42.0 > -- Best regards, IM