summaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-devtools
diff options
context:
space:
mode:
authorChangqing Li <changqing.li@windriver.com>2025-08-06 15:48:52 +0800
committerAnuj Mittal <anuj.mittal@intel.com>2025-09-12 08:15:10 +0800
commit1095ea81ed161a3e676d2050f50f64446b8f6477 (patch)
tree92d67192fc81859c1ca766e50b8cb7716ba36c21 /meta-oe/recipes-devtools
parente099b1462db0289d04ff2d89b55519faee0403b5 (diff)
downloadmeta-openembedded-1095ea81ed161a3e676d2050f50f64446b8f6477.tar.gz
luajit: fix several CVEs
Fix CVE-2024-25176, CVE-2024-25177, CVE-2024-25178 Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Diffstat (limited to 'meta-oe/recipes-devtools')
-rw-r--r--meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch32
-rw-r--r--meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch47
-rw-r--r--meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178.patch162
-rw-r--r--meta-oe/recipes-devtools/luajit/luajit_git.bb3
4 files changed, 244 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
new file mode 100644
index 0000000000..5d3048e05f
--- /dev/null
+++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
@@ -0,0 +1,32 @@
1From fd92fb62201b3980af8e538452102e9f21426ec6 Mon Sep 17 00:00:00 2001
2From: Mike Pall <mike>
3Date: Thu, 25 Jan 2024 13:23:48 +0100
4Subject: [PATCH] Fix zero stripping in %g number formatting.
5
6Reported by pwnhacker0x18. #1149
7
8CVE: CVE-2024-25176
9Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc]
10
11Signed-off-by: Changqing Li <changqing.li@windriver.com>
12---
13 src/lj_strfmt_num.c | 3 ++-
14 1 file changed, 2 insertions(+), 1 deletion(-)
15
16diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
17index 79ec0263..c6e776aa 100644
18--- a/src/lj_strfmt_num.c
19+++ b/src/lj_strfmt_num.c
20@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
21 prec--;
22 if (!i) {
23 if (ndlo == ndhi) { prec = 0; break; }
24- lj_strfmt_wuint9(tail, nd[++ndlo]);
25+ ndlo = (ndlo + 1) & 0x3f;
26+ lj_strfmt_wuint9(tail, nd[ndlo]);
27 i = 9;
28 }
29 }
30--
312.34.1
32
diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
new file mode 100644
index 0000000000..f02749498c
--- /dev/null
+++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
@@ -0,0 +1,47 @@
1From e27aa9c2fe7e7744b517ff0811defc11a81aa454 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 4 Aug 2025 16:47:31 +0800
4Subject: [PATCH] Fix unsinking of IR_FSTORE for NULL metatable.
5
6Reported by pwnhacker0x18. #1147
7
8CVE: CVE-2024-25177
9Upstream-Status: Backport [https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f]
10
11Signed-off-by: Changqing Li <changqing.li@windriver.com>
12---
13 src/lj_snap.c | 11 ++++++++---
14 1 file changed, 8 insertions(+), 3 deletions(-)
15
16diff --git a/src/lj_snap.c b/src/lj_snap.c
17index 7d7347a1..f3645e87 100644
18--- a/src/lj_snap.c
19+++ b/src/lj_snap.c
20@@ -453,6 +453,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
21 case IR_KNUM: case IR_KINT64:
22 return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
23 case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir)); /* Continuation. */
24+ case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
25 default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
26 }
27 }
28@@ -902,9 +903,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
29 if (irk->o == IR_FREF) {
30 switch (irk->op2) {
31 case IRFL_TAB_META:
32- snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
33- /* NOBARRIER: The table is new (marked white). */
34- setgcref(t->metatable, obj2gco(tabV(&tmp)));
35+ if (T->ir[irs->op2].o == IR_KNULL) {
36+ setgcrefnull(t->metatable);
37+ } else {
38+ snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
39+ /* NOBARRIER: The table is new (marked white). */
40+ setgcref(t->metatable, obj2gco(tabV(&tmp)));
41+ }
42 break;
43 case IRFL_TAB_NOMM:
44 /* Negative metamethod cache invalidated by lj_tab_set() below. */
45--
462.34.1
47
diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178.patch
new file mode 100644
index 0000000000..485cffff31
--- /dev/null
+++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178.patch
@@ -0,0 +1,162 @@
1From f57533a41640087904ecbd5ca6946656078e6014 Mon Sep 17 00:00:00 2001
2From: Mike Pall <mike>
3Date: Sun, 4 Feb 2024 16:34:30 +0100
4Subject: [PATCH] Rework stack overflow handling.
5
6Reported by pwnhacker0x18. Fixed by Peter Cawley. #1152
7
8CVE: CVE-2024-25178
9Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8
10https://github.com/LuaJIT/LuaJIT/commit/0d313b243194a0b8d2399d8b549ca5a0ff234db5]
11
12Signed-off-by: Changqing Li <changqing.li@windriver.com>
13---
14 src/lj_debug.c | 1 +
15 src/lj_err.c | 22 +++++++++++++++++---
16 src/lj_err.h | 1 +
17 src/lj_state.c | 54 +++++++++++++++++++++++++++++++++-----------------
18 4 files changed, 57 insertions(+), 21 deletions(-)
19
20diff --git a/src/lj_debug.c b/src/lj_debug.c
21index fa189b6e..8d8b9eb5 100644
22--- a/src/lj_debug.c
23+++ b/src/lj_debug.c
24@@ -64,6 +64,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
25 if (cf == NULL || (char *)cframe_pc(cf) == (char *)cframe_L(cf))
26 return NO_BCPOS;
27 ins = cframe_pc(cf); /* Only happens during error/hook handling. */
28+ if (!ins) return NO_BCPOS;
29 } else {
30 if (frame_islua(nextframe)) {
31 ins = frame_pc(nextframe);
32diff --git a/src/lj_err.c b/src/lj_err.c
33index 7b11e4d0..6b752728 100644
34--- a/src/lj_err.c
35+++ b/src/lj_err.c
36@@ -818,7 +818,14 @@ LJ_NOINLINE void lj_err_mem(lua_State *L)
37 TValue *base = tvref(G(L)->jit_base);
38 if (base) L->base = base;
39 }
40- if (curr_funcisL(L)) L->top = curr_topL(L);
41+ if (curr_funcisL(L)) {
42+ L->top = curr_topL(L);
43+ if (LJ_UNLIKELY(L->top > tvref(L->maxstack))) {
44+ /* The current Lua frame violates the stack. Replace it with a dummy. */
45+ L->top = L->base;
46+ setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
47+ }
48+ }
49 setstrV(L, L->top++, lj_err_str(L, LJ_ERR_ERRMEM));
50 lj_err_throw(L, LUA_ERRMEM);
51 }
52@@ -879,9 +886,11 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_run(lua_State *L)
53 {
54 ptrdiff_t ef = (LJ_HASJIT && tvref(G(L)->jit_base)) ? 0 : finderrfunc(L);
55 if (ef) {
56- TValue *errfunc = restorestack(L, ef);
57- TValue *top = L->top;
58+ TValue *errfunc, *top;
59+ lj_state_checkstack(L, LUA_MINSTACK * 2); /* Might raise new error. */
60 lj_trace_abort(G(L));
61+ errfunc = restorestack(L, ef);
62+ top = L->top;
63 if (!tvisfunc(errfunc) || L->status == LUA_ERRERR) {
64 setstrV(L, top-1, lj_err_str(L, LJ_ERR_ERRERR));
65 lj_err_throw(L, LUA_ERRERR);
66@@ -906,6 +915,13 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode)
67 }
68 #endif
69
70+/* Stack overflow error. */
71+void LJ_FASTCALL lj_err_stkov(lua_State *L)
72+{
73+ lj_debug_addloc(L, err2msg(LJ_ERR_STKOV), L->base-1, NULL);
74+ lj_err_run(L);
75+}
76+
77 /* Formatted runtime error message. */
78 LJ_NORET LJ_NOINLINE static void err_msgv(lua_State *L, ErrMsg em, ...)
79 {
80diff --git a/src/lj_err.h b/src/lj_err.h
81index 8768fefd..67686cb7 100644
82--- a/src/lj_err.h
83+++ b/src/lj_err.h
84@@ -23,6 +23,7 @@ LJ_DATA const char *lj_err_allmsg;
85 LJ_FUNC GCstr *lj_err_str(lua_State *L, ErrMsg em);
86 LJ_FUNCA_NORET void LJ_FASTCALL lj_err_throw(lua_State *L, int errcode);
87 LJ_FUNC_NORET void lj_err_mem(lua_State *L);
88+LJ_FUNC_NORET void LJ_FASTCALL lj_err_stkov(lua_State *L);
89 LJ_FUNC_NORET void LJ_FASTCALL lj_err_run(lua_State *L);
90 #if LJ_HASJIT
91 LJ_FUNCA_NORET void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode);
92diff --git a/src/lj_state.c b/src/lj_state.c
93index 7e4961bd..02cc4440 100644
94--- a/src/lj_state.c
95+++ b/src/lj_state.c
96@@ -102,27 +102,45 @@ void lj_state_shrinkstack(lua_State *L, MSize used)
97 /* Try to grow stack. */
98 void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
99 {
100- MSize n;
101- if (L->stacksize >= LJ_STACK_MAXEX) {
102- /* 4. Throw 'error in error handling' when we are _over_ the limit. */
103- if (L->stacksize > LJ_STACK_MAXEX)
104+ MSize n = L->stacksize + need;
105+ if (LJ_LIKELY(n < LJ_STACK_MAX)) { /* The stack can grow as requested. */
106+ if (n < 2 * L->stacksize) { /* Try to double the size. */
107+ n = 2 * L->stacksize;
108+ if (n > LJ_STACK_MAX)
109+ n = LJ_STACK_MAX;
110+ }
111+ resizestack(L, n);
112+ } else { /* Request would overflow. Raise a stack overflow error. */
113+ if (curr_funcisL(L)) {
114+ L->top = curr_topL(L);
115+ if (L->top > tvref(L->maxstack)) {
116+ /* The current Lua frame violates the stack, so replace it with a
117+ ** dummy. This can happen when BC_IFUNCF is trying to grow the stack.
118+ */
119+ L->top = L->base;
120+ setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
121+ }
122+ }
123+ if (L->stacksize <= LJ_STACK_MAXEX) {
124+ /* An error handler might want to inspect the stack overflow error, but
125+ ** will need some stack space to run in. We give it a stack size beyond
126+ ** the normal limit in order to do so, then rely on lj_state_relimitstack
127+ ** calls during unwinding to bring us back to a convential stack size.
128+ ** The + 1 is space for the error message, and 2 * LUA_MINSTACK is for
129+ ** the lj_state_checkstack() call in lj_err_run().
130+ */
131+ resizestack(L, LJ_STACK_MAX + 1 + 2 * LUA_MINSTACK);
132+ lj_err_stkov(L); /* May invoke an error handler. */
133+ } else {
134+ /* If we're here, then the stack overflow error handler is requesting
135+ ** to grow the stack even further. We have no choice but to abort the
136+ ** error handler.
137+ */
138+ GCstr *em = lj_err_str(L, LJ_ERR_STKOV); /* Might OOM. */
139+ setstrV(L, L->top++, em); /* There is always space to push an error. */
140 lj_err_throw(L, LUA_ERRERR); /* Does not invoke an error handler. */
141- /* 1. We are _at_ the limit after the last growth. */
142- if (L->status < LUA_ERRRUN) { /* 2. Throw 'stack overflow'. */
143- L->status = LUA_ERRRUN; /* Prevent ending here again for pushed msg. */
144- lj_err_msg(L, LJ_ERR_STKOV); /* May invoke an error handler. */
145 }
146- /* 3. Add space (over the limit) for pushed message and error handler. */
147- }
148- n = L->stacksize + need;
149- if (n > LJ_STACK_MAX) {
150- n += 2*LUA_MINSTACK;
151- } else if (n < 2*L->stacksize) {
152- n = 2*L->stacksize;
153- if (n >= LJ_STACK_MAX)
154- n = LJ_STACK_MAX;
155 }
156- resizestack(L, n);
157 }
158
159 void LJ_FASTCALL lj_state_growstack1(lua_State *L)
160--
1612.34.1
162
diff --git a/meta-oe/recipes-devtools/luajit/luajit_git.bb b/meta-oe/recipes-devtools/luajit/luajit_git.bb
index 240271d410..507d254556 100644
--- a/meta-oe/recipes-devtools/luajit/luajit_git.bb
+++ b/meta-oe/recipes-devtools/luajit/luajit_git.bb
@@ -6,6 +6,9 @@ HOMEPAGE = "http://luajit.org"
6SRC_URI = "git://luajit.org/git/luajit-2.0.git;protocol=http;branch=v2.1 \ 6SRC_URI = "git://luajit.org/git/luajit-2.0.git;protocol=http;branch=v2.1 \
7 file://0001-Do-not-strip-automatically-this-leaves-the-stripping.patch \ 7 file://0001-Do-not-strip-automatically-this-leaves-the-stripping.patch \
8 file://0001-Use-builtin-for-clear_cache.patch \ 8 file://0001-Use-builtin-for-clear_cache.patch \
9 file://CVE-2024-25177.patch \
10 file://CVE-2024-25176.patch \
11 file://CVE-2024-25178.patch \
9 " 12 "
10 13
11PV = "2.1" 14PV = "2.1"