From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 542CDA4A11C; Wed, 31 Jan 2024 12:42:16 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 542CDA4A11C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1706694136; bh=aS9b5rF3q6t54UOiLoSr/0FmItKlYddingjXLj4vghE=; h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=NkU0DdcLGs5kpV0Yseif4f+NMRFg48xLvoucwhPyBmCjFL0Zov8DYAn1R0XuhTJ3Q uBSFXB/RCIyrKbEtHMbL+5QyZyXJPBeWImyCkxq9bXARPqxO5cgUOdFp48Aa8NVd4A 5CcPCHpjkgv8ARi22IlEUvcNyLlMub1dePiyn80Q= Received: from smtp61.i.mail.ru (smtp61.i.mail.ru [95.163.41.99]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id EFBE1A4A101 for ; Wed, 31 Jan 2024 12:42:14 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org EFBE1A4A101 Received: by smtp61.i.mail.ru with esmtpa (envelope-from ) id 1rV76j-00000000uiU-1dFa; Wed, 31 Jan 2024 12:42:13 +0300 Date: Wed, 31 Jan 2024 12:42:13 +0300 To: Sergey Kaplun Message-ID: References: <20240130150437.17133-1-skaplun@tarantool.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240130150437.17133-1-skaplun@tarantool.org> X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD9DF1FFD52FB7F4A95028627EAA35537F439B8C339B08FCCC200894C459B0CD1B901500364F56EB0F5E94F77FEBA01750E9099984FF0F9F91E76771F92B12623F54F193C0F926A29E4 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE760302A529BCAAAFCEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637F72512A705E00D288638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D8D414428217EEC1C39105849ED74D5AB74BA99794DF25EC2ECC7F00164DA146DAFE8445B8C89999728AA50765F79006375FFD5C25497261569FA2833FD35BB23D2EF20D2F80756B5F868A13BD56FB6657A471835C12D1D977725E5C173C3A84C37EF884183F8E4D67117882F4460429728AD0CFFFB425014E868A13BD56FB6657D81D268191BDAD3DC09775C1D3CA48CF8C3FA5C133757E88BA3038C0950A5D36C8A9BA7A39EFB766D91E3A1F190DE8FDBA3038C0950A5D36D5E8D9A59859A8B6829DAE29032CB71476E601842F6C81A1F004C906525384303E02D724532EE2C3F43C7A68FF6260569E8FC8737B5C2249D082881546D93491E827F84554CEF50127C277FBC8AE2E8BA83251EDC214901ED5E8D9A59859A8B6A45692FFBBD75A6A089D37D7C0E48F6C5571747095F342E88FB05168BE4CE3AF X-C1DE0DAB: 0D63561A33F958A587C364F05B41435B5002B1117B3ED6967E75FF63DF495456250A03108B67251B823CB91A9FED034534781492E4B8EEAD329DC2EF12373DEABDAD6C7F3747799A X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF3FED46C3ACD6F73ED3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CF3EB92E859E2317858E960F238FEC7AD536CA8443C1C6AC27C7F33A837711EC6B8B42E79199D3D3EDBAF4CF3B87E910B1A84B4B6B98D9CBF24CB63A638E56B2784DF4C85CBA01AEA15F4332CA8FE04980913E6812662D5F2A54F6898A6FDCBDC72A617DFBE5FEC2C6383653B6C8D9AE0FD16FCAA6493B703A X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojHUK3TkZYwr/Kti9d2wjCFA== X-Mailru-Sender: 7940E2A4EB16C9970E7603824FE97C2001500364F56EB0F5E94F77FEBA01750E70CFED573CA5FAA8B6F7D78CE1F58EAD61AD1BC23DFB21333DDE9B364B0DF289BB83A8C3DAEBA78A61AAEF30F77CACB9EAB4BC95F72C04283CDA0F3B3F5B9367 X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit] Fix zero stripping in %g number formatting. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Maxim Kokryashkin via Tarantool-patches Reply-To: Maxim Kokryashkin Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" Hi, Sergey! Thanks for the patch! LGTM, except for two nits regarding the commit message, and two nits regarding the test case comment. On Tue, Jan 30, 2024 at 06:04:37PM +0300, Sergey Kaplun wrote: > From: Mike Pall > > Reported by pwnhacker0x18. > > (cherry picked from commit 343ce0edaf3906a62022936175b2f5410024cbfc) > > In the situation when the precision (`prec`) and amount of digits > (`hilen`) for the decimal representation are the same and `ndhi` == 0, > the `ndlo` part will become 64 (the size of the `nd` stack buffer), and Typo: s/will become/becomes/ > the overflow occurs. > > This patch adds the corresponding mask (0x3f == 63) for the `ndlo` > incrementation result. Please mention that all of this happens in the `lj_strfmt_wfnum` function in the commit message. > > Sergey Kaplun: > * added the description and the test for the problem > > Part of tarantool/tarantool#9595 > --- > > Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1149-g-number-formating > Tarantool PR: https://github.com/tarantool/tarantool/pull/9633 > > The test fails on M1 with the > timeout (see the example [1]). This fail is patch-unrelated, since I've > obscured this failure even for the branch without sources changes (tests > only). > > Related Issues: > * https://github.com/LuaJIT/LuaJIT/issues/1149 > * https://github.com/tarantool/tarantool/issues/9595 > > [1]: https://github.com/tarantool/luajit/actions/runs/7712549489/job/21020513973#step:8:5522 > > Duration of failed tests (seconds): > * 60.54 app-tap/gh-2717-no-quit-sigint.test.lua > > src/lj_strfmt_num.c | 3 ++- > .../lj-1149-g-number-formating-bufov.test.lua | 20 +++++++++++++++++++ > 2 files changed, 22 insertions(+), 1 deletion(-) > create mode 100644 test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua > > diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c > index c26204b7..c8d9febf 100644 > --- a/src/lj_strfmt_num.c > +++ b/src/lj_strfmt_num.c > @@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p) > prec--; > if (!i) { > if (ndlo == ndhi) { prec = 0; break; } > - lj_strfmt_wuint9(tail, nd[++ndlo]); > + ndlo = (ndlo + 1) & 0x3f; > + lj_strfmt_wuint9(tail, nd[ndlo]); > i = 9; > } > } > diff --git a/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua b/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua > new file mode 100644 > index 00000000..040fd5de > --- /dev/null > +++ b/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua > @@ -0,0 +1,20 @@ > +local tap = require('tap') > + > +-- Test file to demonstrate stack-buffer-overflow in the > +-- `lj_strfmt_wfnum()` call. > +-- See also: https://github.com/LuaJIT/LuaJIT/issues/1149. > + > +local test = tap.test('lj-1149-g-number-formating-bufov') > +test:plan(1) > + > +-- XXX: The test shows stack-buffer-overflow only under ASAN. > +-- The number value for the test is with the same precision Typo: s/is with/has/ > +-- (`prec` = 5) and amount of digits (`hilen` = 5) for the decimal > +-- representation. Hence, with `ndhi` == 0, the `ndlo` part will > +-- become 64 (the size of the `nd` stack buffer), and the overflow Typo: s/will become/becomes/ > +-- occurs. > +-- See details in the :`lj_strfmt_wfnum()`. > +test:is(string.format('%7g', 0x1.144399609d407p+401), '5.5733e+120', > + 'correct format %7g result') > + > +test:done(true) > -- > 2.43.0 >