From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 243A7673967; Mon, 23 Oct 2023 12:28:39 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 243A7673967 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1698053319; bh=WKkKP9C/wlzjJ+5DiUve8Gv2VvVyRuX554CVWdgkKzQ=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=eegH9EukaUWQDRj50wNYp4kOUpxayXeb2jKUBHCF5xF/wJkRUVtErJF3HINqq/5mt N0QeDemDtOkvq+xYvhrmqLfjAvW7xZvTsFzUJ8S59m5KVLz9xXDsCcq4yDYLd+l30s WEvx47dmh/6cS42ykuFF99PVMAr/VFEQ1fl0hUNA= Received: from smtpng1.i.mail.ru (smtpng1.i.mail.ru [94.100.181.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 7B20B673967 for ; Mon, 23 Oct 2023 12:26:39 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 7B20B673967 Received: by smtpng1.m.smailru.net with esmtpa (envelope-from ) id 1qurCo-0007cl-Hk; Mon, 23 Oct 2023 12:26:39 +0300 To: Maxim Kokryashkin , Sergey Bronnikov Date: Mon, 23 Oct 2023 12:22:04 +0300 Message-ID: X-Mailer: git-send-email 2.42.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD9C197A170B57C5E43D146E4833C4DCA15B3520AC3C534702000894C459B0CD1B90459070DCA3F9A8EAA158AB95A52526408F89D8EC0FEE90F7C6799903D76029A X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE77BF46084C0059042EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637663000D94094A5D68638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D8109CB4A9ECA890D1094BB6E8340B18D5117882F4460429724CE54428C33FAD305F5C1EE8F4F765FC55D5BE2F85BDEC5FA471835C12D1D9774AD6D5ED66289B52BA9C0B312567BB23117882F44604297287769387670735201E561CDFBCA1751FF6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA7E827F84554CEF5019E625A9149C048EE33AC447995A7AD18CE2A80E82A84F2E63A03B725D353964B0B7D0EA88DDEDAC722CA9DD8327EE4930A3850AC1BE2E735C6EABA9B74D0DA47B5C8C57E37DE458BEDA766A37F9254B7 X-C1DE0DAB: 0D63561A33F958A5F5268E34638856D4F5A1C08BD931AD5F3B662CCC852C3333F87CCE6106E1FC07E67D4AC08A07B9B0D95D32202655EC459C5DF10A05D560A950611B66E3DA6D700B0A020F03D25A0997E3FB2386030E77 X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF3FED46C3ACD6F73ED3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CF35FF9BC4118587EDBE00BDB24BAB9E15ED1637CAEE216D62DBD4CFC066F84C40E125D5F9813FCCC5A8B50B9382ADB12A3CD50BAAC0663068E2E1FBFFDA476BAEA74DFFEFA5DC0E7F02C26D483E81D6BE5EF9655DD6DEA7D65774BB76CC95456EEC5B5AD62611EEC62B5AFB4261A09AF0 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojqlVu258LHAFfswXcWBaalw== X-DA7885C5: C0F4263FF7231FEB7C62A0077695275C61A6E877DD10DBF07860B839719A6EB0262E2D401490A4A0DB037EFA58388B346E8BC1A9835FDE71 X-Mailru-Sender: 689FA8AB762F73930F533AC2B33E986BE3D72FC17DA170CC47298874F18F77D40FBE9A32752B8C9C2AA642CC12EC09F1FB559BB5D741EB962F61BD320559CF1EFD657A8799238ED55FEEDEB644C299C0ED14614B50AE0675 X-Mras: Ok Subject: [Tarantool-patches] [PATCH luajit 4/6] FFI: Fix dangling reference to CType. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Kaplun via Tarantool-patches Reply-To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: Mike Pall (cherry-picked from commit ae533e3a6c009b5df79b11cd5787d249202fa69c) During the conversion of a cdata function object to some cdata value in `lj_cconv_ct_tv()`, reallocation of `cts->tab` in `lj_ctype_intern()` may occur. In that case, the reference to the `CType` object becomes invalid. This patch saves the `CTypeID` of the given function and gets its `CType` again after possible reallocation. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#9145 --- src/lj_cconv.c | 2 + .../fix-dangling-reference-to-ctype.test.lua | 59 +++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua diff --git a/src/lj_cconv.c b/src/lj_cconv.c index 37c88852..94ca93bb 100644 --- a/src/lj_cconv.c +++ b/src/lj_cconv.c @@ -568,7 +568,9 @@ void lj_cconv_ct_tv(CTState *cts, CType *d, } s = ctype_raw(cts, sid); if (ctype_isfunc(s->info)) { + CTypeID did = ctype_typeid(cts, d); sid = lj_ctype_intern(cts, CTINFO(CT_PTR, CTALIGN_PTR|sid), CTSIZE_PTR); + d = ctype_get(cts, did); /* cts->tab may have been reallocated. */ } else { if (ctype_isenum(s->info)) s = ctype_child(cts, s); goto doconv; diff --git a/test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua b/test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua new file mode 100644 index 00000000..c0e2c07b --- /dev/null +++ b/test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua @@ -0,0 +1,59 @@ +local tap = require('tap') +local ffi = require('ffi') +local test = tap.test('fix-dangling-reference-to-ctype'):skipcond({ + -- luacheck: no global + ['Impossible to predict the value of cts->top'] = _TARANTOOL, +}) + +test:plan(1) + +-- This test demonstrates LuaJIT's incorrect behaviour when the +-- reallocation of `cts->tab` strikes during the conversion of a +-- TValue (cdata function pointer) to a C type. +-- The test fails under ASAN. + +-- XXX: Just some C functions to be casted. There is no need to +-- declare their prototypes correctly. +ffi.cdef[[ + int malloc(void); + int fprintf(void); + int printf(void); + int memset(void); + int memcpy(void); + int memmove(void); + int getppid(void); +]] + +-- XXX: structure to set `cts->top` to 110. +local _ = ffi.new('struct {int a; long b; float c; double d;}', 0) + +-- Anchor table to prevent cdata objects from being collected. +local anchor = {} +-- Each call to this function grows `cts->top` by 3. +local function save_new_func(func) + anchor[#anchor + 1] = ffi.cast('void (*)(void)', func) +end + +save_new_func(ffi.C.malloc) -- `cts->top` = 110 +save_new_func(ffi.C.fprintf) -- `cts->top` = 113 +save_new_func(ffi.C.printf) -- `cts->top` = 116 +save_new_func(ffi.C.memset) -- `cts->top` = 119 +save_new_func(ffi.C.memcpy) -- `cts->top` = 122 + +-- Assertions to check the `cts->top` value and step between +-- calls. +assert(ffi.typeinfo(122), 'cts->top >= 122') +assert(not ffi.typeinfo(123), 'cts->top < 123') + +save_new_func(ffi.C.memmove) -- `cts->top` = 125 + +assert(ffi.typeinfo(125), 'cts->top >= 125') +assert(not ffi.typeinfo(126), 'cts->top < 126') + +-- Last call to grow `cts->top` up to 128, so this causes +-- `cts->tab` reallocation. +save_new_func(ffi.C.getppid) -- `cts->top` = 128 + +test:ok(true, 'no heap-use-after-free in lj_cconv_ct_tv') + +test:done(true) -- 2.42.0