luajit: fix several CVEs

fix CVE-2024-25176, CVE-2024-25177, CVE-2024-25178 For apply CVE-2024-25178-0003.patch more smoothly, CVE-2024-25178-0001.patch and CVE-2024-25178-0002.patch is backported. Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Changqing Li <changqing.li@windriver.com> 2025-08-11 17:06:50 +0800
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-09-06 16:27:30 +0200
commit: f1d6f37efc5279796105a7a1afca9acd87d6abd2 (patch)
tree: 743f60f3be31978dd91d489068e33ec95752da9d
parent: 55aaf6082ce512bbc11490eaada1834d1762e978 (diff)
download: meta-openembedded-f1d6f37efc5279796105a7a1afca9acd87d6abd2.tar.gz
6 files changed, 321 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
new file mode 100644
index 0000000000..7dba4e8239
--- /dev/null
+++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
@@ -0,0 +1,32 @@
+From 810bf18ff0ddbae9b2ceb30dd8b9c901cc634d1f Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 5 Aug 2025 14:49:06 +0800
+Subject: [PATCH] Fix zero stripping in %g number formatting.
+Reported by pwnhacker0x18. #1149
+CVE: CVE-2024-25176
+Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_strfmt_num.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
+index 3c60695c..41214894 100644
+--- a/src/lj_strfmt_num.c
+++ b/src/lj_strfmt_num.c
+@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
+            prec--;
+            if (!i) {
+              if (ndlo == ndhi) { prec = 0; break; }
+-             lj_strfmt_wuint9(tail, nd[++ndlo]);
+             ndlo = (ndlo + 1) & 0x3f;
+             lj_strfmt_wuint9(tail, nd[ndlo]);
+              i = 9;
+            }
+          }
+-- 
+2.34.1
diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
new file mode 100644
index 0000000000..73ad9837aa
--- /dev/null
+++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
@@ -0,0 +1,44 @@
+From c8421200e9accf5a10a52768bb3dca2f555bd092 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 5 Aug 2025 15:05:07 +0800
+Subject: [PATCH] Fix unsinking of IR_FSTORE for NULL metatable.
+Reported by pwnhacker0x18. #1147
+CVE: CVE-2024-25177
+Upstream-Status: Backport [https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_snap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/src/lj_snap.c b/src/lj_snap.c
+index 4140fdb7..d7027875 100644
+--- a/src/lj_snap.c
+++ b/src/lj_snap.c
+@@ -453,6 +453,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
+   case IR_KNUM: case IR_KINT64:
+     return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
+   case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir));  /* Continuation. */
+  case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
+   default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
+   }
+ }
+@@ -882,9 +883,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
+        if (irk->o == IR_FREF) {
+          lj_assertJ(irk->op2 == IRFL_TAB_META,
+                     "sunk store with bad field %d", irk->op2);
+       if (T->ir[irs->op2].o == IR_KNULL) {
+         setgcrefnull(t->metatable);
+       } else {
+          snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
+          /* NOBARRIER: The table is new (marked white). */
+          setgcref(t->metatable, obj2gco(tabV(&tmp)));
+       }
+        } else {
+          irk = &T->ir[irk->op2];
+          if (irk->o == IR_KSLOT) irk = &T->ir[irk->op1];
+-- 
+2.34.1
diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0001.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0001.patch
new file mode 100644
index 0000000000..50dddf6378
--- /dev/null
+++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0001.patch
@@ -0,0 +1,28 @@
+From d4fd9f2939645eb20616ced3bbffba609c1eeac6 Mon Sep 17 00:00:00 2001
+From: Mike Pall <mike>
+Date: Wed, 9 Nov 2022 11:01:41 +0100
+Subject: [PATCH 1/3] Ensure correct stack top for OOM error message.
+Reported by Sergey Kaplun.
+Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/ca8d3257bb44e42100c7910c47dcdcf01f494187]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_err.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/src/lj_err.c b/src/lj_err.c
+index 563c7706..283c3d18 100644
+--- a/src/lj_err.c
+++ b/src/lj_err.c
+@@ -777,6 +777,7 @@ LJ_NOINLINE void lj_err_mem(lua_State *L)
+ {
+   if (L->status == LUA_ERRERR+1)  /* Don't touch the stack during lua_open. */
+     lj_vm_unwind_c(L->cframe, LUA_ERRMEM);
+  if (curr_funcisL(L)) L->top = curr_topL(L);
+   setstrV(L, L->top++, lj_err_str(L, LJ_ERR_ERRMEM));
+   lj_err_throw(L, LUA_ERRMEM);
+ }
+-- 
+2.34.1
diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0002.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0002.patch
new file mode 100644
index 0000000000..c3249cbb18
--- /dev/null
+++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0002.patch
@@ -0,0 +1,49 @@
+From 4b736a552ff84d72f39aa0cf36eb8a4e1a77f350 Mon Sep 17 00:00:00 2001
+From: Mike Pall <mike>
+Date: Thu, 21 Sep 2023 01:58:43 +0200
+Subject: [PATCH 2/3] Cleanup stack overflow handling.
+Reported by Peter Cawley. #962
+Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/d2f6c55b05c716e5dbb479b7e684abaee7cf6e12]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_state.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+diff --git a/src/lj_state.c b/src/lj_state.c
+index 0b9c46ba..ccdfa381 100644
+--- a/src/lj_state.c
+++ b/src/lj_state.c
+@@ -103,8 +103,17 @@ void lj_state_shrinkstack(lua_State *L, MSize used)
+ void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
+ {
+   MSize n;
+-  if (L->stacksize > LJ_STACK_MAXEX)  /* Overflow while handling overflow? */
+-    lj_err_throw(L, LUA_ERRERR);
+  if (L->stacksize >= LJ_STACK_MAXEX) {
+    /* 4. Throw 'error in error handling' when we are _over_ the limit. */
+    if (L->stacksize > LJ_STACK_MAXEX)
+      lj_err_throw(L, LUA_ERRERR);  /* Does not invoke an error handler. */
+    /* 1. We are _at_ the limit after the last growth. */
+    if (!L->status) {  /* 2. Throw 'stack overflow'. */
+      L->status = LUA_ERRRUN;  /* Prevent ending here again for pushed msg. */
+      lj_err_msg(L, LJ_ERR_STKOV);  /* May invoke an error handler. */
+    }
+    /* 3. Add space (over the limit) for pushed message and error handler. */
+  }
+   n = L->stacksize + need;
+   if (n > LJ_STACK_MAX) {
+     n += 2*LUA_MINSTACK;
+@@ -114,8 +123,6 @@ void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
+       n = LJ_STACK_MAX;
+   }
+   resizestack(L, n);
+-  if (L->stacksize > LJ_STACK_MAXEX)
+-    lj_err_msg(L, LJ_ERR_STKOV);
+ }
+ 
+ void LJ_FASTCALL lj_state_growstack1(lua_State *L)
+-- 
+2.34.1
diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0003.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0003.patch
new file mode 100644
index 0000000000..d830c21916
--- /dev/null
+++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0003.patch
@@ -0,0 +1,163 @@
+From 891bd078750312746541327332071a8fc354c10b Mon Sep 17 00:00:00 2001
+From: Mike Pall <mike>
+Date: Sun, 4 Feb 2024 16:34:30 +0100
+Subject: [PATCH] Rework stack overflow handling.
+Reported by pwnhacker0x18. Fixed by Peter Cawley. #1152
+CVE: CVE-2024-25178
+Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8
+https://github.com/LuaJIT/LuaJIT/commit/0d313b243194a0b8d2399d8b549ca5a0ff234db5]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_debug.c |  1 +
+ src/lj_err.c   | 22 +++++++++++++++++---
+ src/lj_err.h   |  1 +
+ src/lj_state.c | 56 +++++++++++++++++++++++++++++++++-----------------
+ 4 files changed, 58 insertions(+), 22 deletions(-)
+diff --git a/src/lj_debug.c b/src/lj_debug.c
+index 112f5358..861fac6b 100644
+--- a/src/lj_debug.c
+++ b/src/lj_debug.c
+@@ -64,6 +64,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
+     if (cf == NULL || (char *)cframe_pc(cf) == (char *)cframe_L(cf))
+       return NO_BCPOS;
+     ins = cframe_pc(cf);  /* Only happens during error/hook handling. */
+    if (!ins) return NO_BCPOS;
+   } else {
+     if (frame_islua(nextframe)) {
+       ins = frame_pc(nextframe);
+diff --git a/src/lj_err.c b/src/lj_err.c
+index 283c3d18..b514df57 100644
+--- a/src/lj_err.c
+++ b/src/lj_err.c
+@@ -777,7 +777,14 @@ LJ_NOINLINE void lj_err_mem(lua_State *L)
+ {
+   if (L->status == LUA_ERRERR+1)  /* Don't touch the stack during lua_open. */
+     lj_vm_unwind_c(L->cframe, LUA_ERRMEM);
+-  if (curr_funcisL(L)) L->top = curr_topL(L);
+  if (curr_funcisL(L)) {
+    L->top = curr_topL(L);
+    if (LJ_UNLIKELY(L->top > tvref(L->maxstack))) {
+      /* The current Lua frame violates the stack. Replace it with a dummy. */
+      L->top = L->base;
+      setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
+    }
+  }
+   setstrV(L, L->top++, lj_err_str(L, LJ_ERR_ERRMEM));
+   lj_err_throw(L, LUA_ERRMEM);
+ }
+@@ -838,9 +845,11 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_run(lua_State *L)
+ {
+   ptrdiff_t ef = (LJ_HASJIT && tvref(G(L)->jit_base)) ? 0 : finderrfunc(L);
+   if (ef) {
+-    TValue *errfunc = restorestack(L, ef);
+-    TValue *top = L->top;
+    TValue *errfunc, *top;
+    lj_state_checkstack(L, LUA_MINSTACK * 2);  /* Might raise new error. */
+     lj_trace_abort(G(L));
+    errfunc = restorestack(L, ef);
+    top = L->top;
+     if (!tvisfunc(errfunc) || L->status == LUA_ERRERR) {
+       setstrV(L, top-1, lj_err_str(L, LJ_ERR_ERRERR));
+       lj_err_throw(L, LUA_ERRERR);
+@@ -865,6 +874,13 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode)
+ }
+ #endif
+ 
+/* Stack overflow error. */
+void LJ_FASTCALL lj_err_stkov(lua_State *L)
+{
+  lj_debug_addloc(L, err2msg(LJ_ERR_STKOV), L->base-1, NULL);
+  lj_err_run(L);
+}
+
+ /* Formatted runtime error message. */
+ LJ_NORET LJ_NOINLINE static void err_msgv(lua_State *L, ErrMsg em, ...)
+ {
+diff --git a/src/lj_err.h b/src/lj_err.h
+index bd4de9ae..a3aaa756 100644
+--- a/src/lj_err.h
+++ b/src/lj_err.h
+@@ -23,6 +23,7 @@ LJ_DATA const char *lj_err_allmsg;
+ LJ_FUNC GCstr *lj_err_str(lua_State *L, ErrMsg em);
+ LJ_FUNCA_NORET void LJ_FASTCALL lj_err_throw(lua_State *L, int errcode);
+ LJ_FUNC_NORET void lj_err_mem(lua_State *L);
+LJ_FUNC_NORET void LJ_FASTCALL lj_err_stkov(lua_State *L);
+ LJ_FUNC_NORET void LJ_FASTCALL lj_err_run(lua_State *L);
+ #if LJ_HASJIT
+ LJ_FUNCA_NORET void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode);
+diff --git a/src/lj_state.c b/src/lj_state.c
+index ccdfa381..74725bbc 100644
+--- a/src/lj_state.c
+++ b/src/lj_state.c
+@@ -102,27 +102,45 @@ void lj_state_shrinkstack(lua_State *L, MSize used)
+ /* Try to grow stack. */
+ void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
+ {
+-  MSize n;
+-  if (L->stacksize >= LJ_STACK_MAXEX) {
+-    /* 4. Throw 'error in error handling' when we are _over_ the limit. */
+-    if (L->stacksize > LJ_STACK_MAXEX)
+  MSize n = L->stacksize + need;
+  if (LJ_LIKELY(n < LJ_STACK_MAX)) {  /* The stack can grow as requested. */
+    if (n < 2 * L->stacksize) {  /* Try to double the size. */
+      n = 2 * L->stacksize;
+      if (n > LJ_STACK_MAX)
+   n = LJ_STACK_MAX;
+    }
+    resizestack(L, n);
+  } else {  /* Request would overflow. Raise a stack overflow error. */
+    if (curr_funcisL(L)) {
+      L->top = curr_topL(L);
+      if (L->top > tvref(L->maxstack)) {
+   /* The current Lua frame violates the stack, so replace it with a
+   ** dummy. This can happen when BC_IFUNCF is trying to grow the stack.
+   */
+   L->top = L->base;
+    setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
+      }
+    }
+    if (L->stacksize <= LJ_STACK_MAXEX) {
+      /* An error handler might want to inspect the stack overflow error, but
+      ** will need some stack space to run in. We give it a stack size beyond
+      ** the normal limit in order to do so, then rely on lj_state_relimitstack
+      ** calls during unwinding to bring us back to a convential stack size.
+      ** The + 1 is space for the error message, and 2 * LUA_MINSTACK is for
+      ** the lj_state_checkstack() call in lj_err_run().
+      */
+      resizestack(L, LJ_STACK_MAX + 1 + 2 * LUA_MINSTACK);
+      lj_err_stkov(L);  /* May invoke an error handler. */
+    } else {
+      /* If we're here, then the stack overflow error handler is requesting
+      ** to grow the stack even further. We have no choice but to abort the
+      ** error handler.
+      */
+      GCstr *em = lj_err_str(L, LJ_ERR_STKOV);  /* Might OOM. */
+      setstrV(L, L->top++, em);  /* There is always space to push an error. */
+       lj_err_throw(L, LUA_ERRERR);  /* Does not invoke an error handler. */
+-    /* 1. We are _at_ the limit after the last growth. */
+-    if (!L->status) {  /* 2. Throw 'stack overflow'. */
+-      L->status = LUA_ERRRUN;  /* Prevent ending here again for pushed msg. */
+-      lj_err_msg(L, LJ_ERR_STKOV);  /* May invoke an error handler. */
+     }
+-    /* 3. Add space (over the limit) for pushed message and error handler. */
+-  }
+-  n = L->stacksize + need;
+-  if (n > LJ_STACK_MAX) {
+-    n += 2*LUA_MINSTACK;
+-  } else if (n < 2*L->stacksize) {
+-    n = 2*L->stacksize;
+-    if (n >= LJ_STACK_MAX)
+-      n = LJ_STACK_MAX;
+-  }
+-  resizestack(L, n);
+  } 
+ }
+ 
+ void LJ_FASTCALL lj_state_growstack1(lua_State *L)
+-- 
+2.34.1
diff --git a/meta-oe/recipes-devtools/luajit/luajit_git.bb b/meta-oe/recipes-devtools/luajit/luajit_git.bb
index 3f3939eeb4..592fb20565 100644
--- a/meta-oe/recipes-devtools/luajit/luajit_git.bb
+++ b/meta-oe/recipes-devtools/luajit/luajit_git.bb
@@ -6,6 +6,11 @@ HOMEPAGE = "http://luajit.org"
 SRC_URI = "git://luajit.org/git/luajit-2.0.git;protocol=http;branch=v2.1 \
           file://0001-Do-not-strip-automatically-this-leaves-the-stripping.patch \
           file://clang.patch \
+           file://CVE-2024-25176.patch \
+           file://CVE-2024-25177.patch \
+           file://CVE-2024-25178-0001.patch \
+           file://CVE-2024-25178-0002.patch \
+           file://CVE-2024-25178-0003.patch \
           "
 # Set PV to a version tag and date (YYMMDD) associated with SRCREV if it is later.
author	Changqing Li <changqing.li@windriver.com>	2025-08-11 17:06:50 +0800
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-09-06 16:27:30 +0200
commit	f1d6f37efc5279796105a7a1afca9acd87d6abd2 (patch)
tree	743f60f3be31978dd91d489068e33ec95752da9d
parent	55aaf6082ce512bbc11490eaada1834d1762e978 (diff)
download	meta-openembedded-f1d6f37efc5279796105a7a1afca9acd87d6abd2.tar.gz

diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch new file mode 100644 index 0000000000..7dba4e8239 --- /dev/null +++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
@@ -0,0 +1,32 @@
		1	From 810bf18ff0ddbae9b2ceb30dd8b9c901cc634d1f Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Tue, 5 Aug 2025 14:49:06 +0800
		4	Subject: [PATCH] Fix zero stripping in %g number formatting.
		5
		6	Reported by pwnhacker0x18. #1149
		7
		8	CVE: CVE-2024-25176
		9	Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc]
		10
		11	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		12	---
		13	src/lj_strfmt_num.c \| 3 ++-
		14	1 file changed, 2 insertions(+), 1 deletion(-)
		15
		16	diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
		17	index 3c60695c..41214894 100644
		18	--- a/src/lj_strfmt_num.c
		19	+++ b/src/lj_strfmt_num.c
		20	@@ -454,7 +454,8 @@ static char lj_strfmt_wfnum(SBuf sb, SFormat sf, lua_Number n, char *p)
		21	prec--;
		22	if (!i) {
		23	if (ndlo == ndhi) { prec = 0; break; }
		24	- lj_strfmt_wuint9(tail, nd[++ndlo]);
		25	+ ndlo = (ndlo + 1) & 0x3f;
		26	+ lj_strfmt_wuint9(tail, nd[ndlo]);
		27	i = 9;
		28	}
		29	}
		30	--
		31	2.34.1
		32


diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch new file mode 100644 index 0000000000..73ad9837aa --- /dev/null +++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
@@ -0,0 +1,44 @@
		1	From c8421200e9accf5a10a52768bb3dca2f555bd092 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Tue, 5 Aug 2025 15:05:07 +0800
		4	Subject: [PATCH] Fix unsinking of IR_FSTORE for NULL metatable.
		5
		6	Reported by pwnhacker0x18. #1147
		7
		8	CVE: CVE-2024-25177
		9	Upstream-Status: Backport [https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f]
		10
		11	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		12	---
		13	src/lj_snap.c \| 5 +++++
		14	1 file changed, 5 insertions(+)
		15
		16	diff --git a/src/lj_snap.c b/src/lj_snap.c
		17	index 4140fdb7..d7027875 100644
		18	--- a/src/lj_snap.c
		19	+++ b/src/lj_snap.c
		20	@@ -453,6 +453,7 @@ static TRef snap_replay_const(jit_State J, IRIns ir)
		21	case IR_KNUM: case IR_KINT64:
		22	return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
		23	case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir)); /* Continuation. */
		24	+ case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
		25	default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
		26	}
		27	}
		28	@@ -882,9 +883,13 @@ static void snap_unsink(jit_State J, GCtrace T, ExitState *ex,
		29	if (irk->o == IR_FREF) {
		30	lj_assertJ(irk->op2 == IRFL_TAB_META,
		31	"sunk store with bad field %d", irk->op2);
		32	+ if (T->ir[irs->op2].o == IR_KNULL) {
		33	+ setgcrefnull(t->metatable);
		34	+ } else {
		35	snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
		36	/* NOBARRIER: The table is new (marked white). */
		37	setgcref(t->metatable, obj2gco(tabV(&tmp)));
		38	+ }
		39	} else {
		40	irk = &T->ir[irk->op2];
		41	if (irk->o == IR_KSLOT) irk = &T->ir[irk->op1];
		42	--
		43	2.34.1
		44


diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0001.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0001.patch new file mode 100644 index 0000000000..50dddf6378 --- /dev/null +++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0001.patch
@@ -0,0 +1,28 @@
		1	From d4fd9f2939645eb20616ced3bbffba609c1eeac6 Mon Sep 17 00:00:00 2001
		2	From: Mike Pall <mike>
		3	Date: Wed, 9 Nov 2022 11:01:41 +0100
		4	Subject: [PATCH 1/3] Ensure correct stack top for OOM error message.
		5
		6	Reported by Sergey Kaplun.
		7
		8	Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/ca8d3257bb44e42100c7910c47dcdcf01f494187]
		9	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		10	---
		11	src/lj_err.c \| 1 +
		12	1 file changed, 1 insertion(+)
		13
		14	diff --git a/src/lj_err.c b/src/lj_err.c
		15	index 563c7706..283c3d18 100644
		16	--- a/src/lj_err.c
		17	+++ b/src/lj_err.c
		18	@@ -777,6 +777,7 @@ LJ_NOINLINE void lj_err_mem(lua_State *L)
		19	{
		20	if (L->status == LUA_ERRERR+1) /* Don't touch the stack during lua_open. */
		21	lj_vm_unwind_c(L->cframe, LUA_ERRMEM);
		22	+ if (curr_funcisL(L)) L->top = curr_topL(L);
		23	setstrV(L, L->top++, lj_err_str(L, LJ_ERR_ERRMEM));
		24	lj_err_throw(L, LUA_ERRMEM);
		25	}
		26	--
		27	2.34.1
		28


diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0002.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0002.patch new file mode 100644 index 0000000000..c3249cbb18 --- /dev/null +++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0002.patch
@@ -0,0 +1,49 @@
		1	From 4b736a552ff84d72f39aa0cf36eb8a4e1a77f350 Mon Sep 17 00:00:00 2001
		2	From: Mike Pall <mike>
		3	Date: Thu, 21 Sep 2023 01:58:43 +0200
		4	Subject: [PATCH 2/3] Cleanup stack overflow handling.
		5
		6	Reported by Peter Cawley. #962
		7
		8	Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/d2f6c55b05c716e5dbb479b7e684abaee7cf6e12]
		9	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		10	---
		11	src/lj_state.c \| 15 +++++++++++----
		12	1 file changed, 11 insertions(+), 4 deletions(-)
		13
		14	diff --git a/src/lj_state.c b/src/lj_state.c
		15	index 0b9c46ba..ccdfa381 100644
		16	--- a/src/lj_state.c
		17	+++ b/src/lj_state.c
		18	@@ -103,8 +103,17 @@ void lj_state_shrinkstack(lua_State *L, MSize used)
		19	void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
		20	{
		21	MSize n;
		22	- if (L->stacksize > LJ_STACK_MAXEX) /* Overflow while handling overflow? */
		23	- lj_err_throw(L, LUA_ERRERR);
		24	+ if (L->stacksize >= LJ_STACK_MAXEX) {
		25	+ /* 4. Throw 'error in error handling' when we are _over_ the limit. */
		26	+ if (L->stacksize > LJ_STACK_MAXEX)
		27	+ lj_err_throw(L, LUA_ERRERR); /* Does not invoke an error handler. */
		28	+ /* 1. We are _at_ the limit after the last growth. */
		29	+ if (!L->status) { /* 2. Throw 'stack overflow'. */
		30	+ L->status = LUA_ERRRUN; /* Prevent ending here again for pushed msg. */
		31	+ lj_err_msg(L, LJ_ERR_STKOV); /* May invoke an error handler. */
		32	+ }
		33	+ /* 3. Add space (over the limit) for pushed message and error handler. */
		34	+ }
		35	n = L->stacksize + need;
		36	if (n > LJ_STACK_MAX) {
		37	n += 2*LUA_MINSTACK;
		38	@@ -114,8 +123,6 @@ void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
		39	n = LJ_STACK_MAX;
		40	}
		41	resizestack(L, n);
		42	- if (L->stacksize > LJ_STACK_MAXEX)
		43	- lj_err_msg(L, LJ_ERR_STKOV);
		44	}
		45
		46	void LJ_FASTCALL lj_state_growstack1(lua_State *L)
		47	--
		48	2.34.1
		49


diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0003.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0003.patch new file mode 100644 index 0000000000..d830c21916 --- /dev/null +++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0003.patch
@@ -0,0 +1,163 @@
		1	From 891bd078750312746541327332071a8fc354c10b Mon Sep 17 00:00:00 2001
		2	From: Mike Pall <mike>
		3	Date: Sun, 4 Feb 2024 16:34:30 +0100
		4	Subject: [PATCH] Rework stack overflow handling.
		5
		6	Reported by pwnhacker0x18. Fixed by Peter Cawley. #1152
		7
		8	CVE: CVE-2024-25178
		9	Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8
		10	https://github.com/LuaJIT/LuaJIT/commit/0d313b243194a0b8d2399d8b549ca5a0ff234db5]
		11
		12	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		13	---
		14	src/lj_debug.c \| 1 +
		15	src/lj_err.c \| 22 +++++++++++++++++---
		16	src/lj_err.h \| 1 +
		17	src/lj_state.c \| 56 +++++++++++++++++++++++++++++++++-----------------
		18	4 files changed, 58 insertions(+), 22 deletions(-)
		19
		20	diff --git a/src/lj_debug.c b/src/lj_debug.c
		21	index 112f5358..861fac6b 100644
		22	--- a/src/lj_debug.c
		23	+++ b/src/lj_debug.c
		24	@@ -64,6 +64,7 @@ static BCPos debug_framepc(lua_State L, GCfunc fn, cTValue *nextframe)
		25	if (cf == NULL \|\| (char )cframe_pc(cf) == (char )cframe_L(cf))
		26	return NO_BCPOS;
		27	ins = cframe_pc(cf); /* Only happens during error/hook handling. */
		28	+ if (!ins) return NO_BCPOS;
		29	} else {
		30	if (frame_islua(nextframe)) {
		31	ins = frame_pc(nextframe);
		32	diff --git a/src/lj_err.c b/src/lj_err.c
		33	index 283c3d18..b514df57 100644
		34	--- a/src/lj_err.c
		35	+++ b/src/lj_err.c
		36	@@ -777,7 +777,14 @@ LJ_NOINLINE void lj_err_mem(lua_State *L)
		37	{
		38	if (L->status == LUA_ERRERR+1) /* Don't touch the stack during lua_open. */
		39	lj_vm_unwind_c(L->cframe, LUA_ERRMEM);
		40	- if (curr_funcisL(L)) L->top = curr_topL(L);
		41	+ if (curr_funcisL(L)) {
		42	+ L->top = curr_topL(L);
		43	+ if (LJ_UNLIKELY(L->top > tvref(L->maxstack))) {
		44	+ /* The current Lua frame violates the stack. Replace it with a dummy. */
		45	+ L->top = L->base;
		46	+ setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
		47	+ }
		48	+ }
		49	setstrV(L, L->top++, lj_err_str(L, LJ_ERR_ERRMEM));
		50	lj_err_throw(L, LUA_ERRMEM);
		51	}
		52	@@ -838,9 +845,11 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_run(lua_State *L)
		53	{
		54	ptrdiff_t ef = (LJ_HASJIT && tvref(G(L)->jit_base)) ? 0 : finderrfunc(L);
		55	if (ef) {
		56	- TValue *errfunc = restorestack(L, ef);
		57	- TValue *top = L->top;
		58	+ TValue errfunc, top;
		59	+ lj_state_checkstack(L, LUA_MINSTACK * 2); /* Might raise new error. */
		60	lj_trace_abort(G(L));
		61	+ errfunc = restorestack(L, ef);
		62	+ top = L->top;
		63	if (!tvisfunc(errfunc) \|\| L->status == LUA_ERRERR) {
		64	setstrV(L, top-1, lj_err_str(L, LJ_ERR_ERRERR));
		65	lj_err_throw(L, LUA_ERRERR);
		66	@@ -865,6 +874,13 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode)
		67	}
		68	#endif
		69
		70	+/* Stack overflow error. */
		71	+void LJ_FASTCALL lj_err_stkov(lua_State *L)
		72	+{
		73	+ lj_debug_addloc(L, err2msg(LJ_ERR_STKOV), L->base-1, NULL);
		74	+ lj_err_run(L);
		75	+}
		76	+
		77	/* Formatted runtime error message. */
		78	LJ_NORET LJ_NOINLINE static void err_msgv(lua_State *L, ErrMsg em, ...)
		79	{
		80	diff --git a/src/lj_err.h b/src/lj_err.h
		81	index bd4de9ae..a3aaa756 100644
		82	--- a/src/lj_err.h
		83	+++ b/src/lj_err.h
		84	@@ -23,6 +23,7 @@ LJ_DATA const char *lj_err_allmsg;
		85	LJ_FUNC GCstr lj_err_str(lua_State L, ErrMsg em);
		86	LJ_FUNCA_NORET void LJ_FASTCALL lj_err_throw(lua_State *L, int errcode);
		87	LJ_FUNC_NORET void lj_err_mem(lua_State *L);
		88	+LJ_FUNC_NORET void LJ_FASTCALL lj_err_stkov(lua_State *L);
		89	LJ_FUNC_NORET void LJ_FASTCALL lj_err_run(lua_State *L);
		90	#if LJ_HASJIT
		91	LJ_FUNCA_NORET void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode);
		92	diff --git a/src/lj_state.c b/src/lj_state.c
		93	index ccdfa381..74725bbc 100644
		94	--- a/src/lj_state.c
		95	+++ b/src/lj_state.c
		96	@@ -102,27 +102,45 @@ void lj_state_shrinkstack(lua_State *L, MSize used)
		97	/* Try to grow stack. */
		98	void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
		99	{
		100	- MSize n;
		101	- if (L->stacksize >= LJ_STACK_MAXEX) {
		102	- /* 4. Throw 'error in error handling' when we are _over_ the limit. */
		103	- if (L->stacksize > LJ_STACK_MAXEX)
		104	+ MSize n = L->stacksize + need;
		105	+ if (LJ_LIKELY(n < LJ_STACK_MAX)) { /* The stack can grow as requested. */
		106	+ if (n < 2 * L->stacksize) { /* Try to double the size. */
		107	+ n = 2 * L->stacksize;
		108	+ if (n > LJ_STACK_MAX)
		109	+ n = LJ_STACK_MAX;
		110	+ }
		111	+ resizestack(L, n);
		112	+ } else { /* Request would overflow. Raise a stack overflow error. */
		113	+ if (curr_funcisL(L)) {
		114	+ L->top = curr_topL(L);
		115	+ if (L->top > tvref(L->maxstack)) {
		116	+ /* The current Lua frame violates the stack, so replace it with a
		117	+ ** dummy. This can happen when BC_IFUNCF is trying to grow the stack.
		118	+ */
		119	+ L->top = L->base;
		120	+ setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
		121	+ }
		122	+ }
		123	+ if (L->stacksize <= LJ_STACK_MAXEX) {
		124	+ /* An error handler might want to inspect the stack overflow error, but
		125	+ ** will need some stack space to run in. We give it a stack size beyond
		126	+ ** the normal limit in order to do so, then rely on lj_state_relimitstack
		127	+ ** calls during unwinding to bring us back to a convential stack size.
		128	+ ** The + 1 is space for the error message, and 2 * LUA_MINSTACK is for
		129	+ ** the lj_state_checkstack() call in lj_err_run().
		130	+ */
		131	+ resizestack(L, LJ_STACK_MAX + 1 + 2 * LUA_MINSTACK);
		132	+ lj_err_stkov(L); /* May invoke an error handler. */
		133	+ } else {
		134	+ /* If we're here, then the stack overflow error handler is requesting
		135	+ ** to grow the stack even further. We have no choice but to abort the
		136	+ ** error handler.
		137	+ */
		138	+ GCstr em = lj_err_str(L, LJ_ERR_STKOV); / Might OOM. */
		139	+ setstrV(L, L->top++, em); /* There is always space to push an error. */
		140	lj_err_throw(L, LUA_ERRERR); /* Does not invoke an error handler. */
		141	- /* 1. We are _at_ the limit after the last growth. */
		142	- if (!L->status) { /* 2. Throw 'stack overflow'. */
		143	- L->status = LUA_ERRRUN; /* Prevent ending here again for pushed msg. */
		144	- lj_err_msg(L, LJ_ERR_STKOV); /* May invoke an error handler. */
		145	}
		146	- /* 3. Add space (over the limit) for pushed message and error handler. */
		147	- }
		148	- n = L->stacksize + need;
		149	- if (n > LJ_STACK_MAX) {
		150	- n += 2*LUA_MINSTACK;
		151	- } else if (n < 2*L->stacksize) {
		152	- n = 2*L->stacksize;
		153	- if (n >= LJ_STACK_MAX)
		154	- n = LJ_STACK_MAX;
		155	- }
		156	- resizestack(L, n);
		157	+ }
		158	}
		159
		160	void LJ_FASTCALL lj_state_growstack1(lua_State *L)
		161	--
		162	2.34.1
		163


diff --git a/meta-oe/recipes-devtools/luajit/luajit_git.bb b/meta-oe/recipes-devtools/luajit/luajit_git.bb index 3f3939eeb4..592fb20565 100644 --- a/meta-oe/recipes-devtools/luajit/luajit_git.bb +++ b/meta-oe/recipes-devtools/luajit/luajit_git.bb
@@ -6,6 +6,11 @@ HOMEPAGE = "http://luajit.org"
6	SRC_URI = "git://luajit.org/git/luajit-2.0.git;protocol=http;branch=v2.1 \	6	SRC_URI = "git://luajit.org/git/luajit-2.0.git;protocol=http;branch=v2.1 \
7	file://0001-Do-not-strip-automatically-this-leaves-the-stripping.patch \	7	file://0001-Do-not-strip-automatically-this-leaves-the-stripping.patch \
8	file://clang.patch \	8	file://clang.patch \
		9	file://CVE-2024-25176.patch \
		10	file://CVE-2024-25177.patch \
		11	file://CVE-2024-25178-0001.patch \
		12	file://CVE-2024-25178-0002.patch \
		13	file://CVE-2024-25178-0003.patch \
9	"	14	"
10		15
11	# Set PV to a version tag and date (YYMMDD) associated with SRCREV if it is later.	16	# Set PV to a version tag and date (YYMMDD) associated with SRCREV if it is later.