packages/luajit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!7 fix CVE-2020-24372

Browse Source 
From: @zhanghua1831
Reviewed-by: @wang_yue111,@small_leek,@overweight
Signed-off-by: @small_leek,@overweight
This commit is contained in:
openeuler-ci-bot 2021-02-09 16:34:10 +08:00 committed by Gitee
commit d9ca0d85bf
3 changed files with 224 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
CVE-2020-24372-1.patch Normal file
View File

@ -0,0 +1,22 @@
From 12ab596997b9cb27846a5b254d11230c3f9c50c8 Mon Sep 17 00:00:00 2001
From: Mike Pall <mike>
Date: Sun, 9 Aug 2020 18:08:38 +0200
Subject: [PATCH] Fix handling of errors during snapshot restore.
---
src/lj_trace.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lj_trace.c b/src/lj_trace.c
index 311baa73c..123e6eb83 100644
--- a/src/lj_trace.c
+++ b/src/lj_trace.c
@@ -701,6 +701,8 @@ static TValue *trace_exit_cp(lua_State *L, lua_CFunction dummy, void *ud)
{
ExitDataCP *exd = (ExitDataCP *)ud;
cframe_errfunc(L->cframe) = -1; /* Inherit error function. */
+ /* Always catch error here. */
+ cframe_nres(L->cframe) = -2*LUAI_MAXSTACK*(int)sizeof(TValue);
exd->pc = lj_snap_restore(exd->J, exd->exptr);
UNUSED(dummy);
return NULL;

196
CVE-2020-24372-2.patch Normal file
View File

@ -0,0 +1,196 @@
From e296f56b825c688c3530a981dc6b495d972f3d01 Mon Sep
From: Mike Pall <mike>
Date: Sun, 9 Aug 2020 22:50:31 +0200
Subject: [PATCH] Call error function on rethrow after trace exit.
---
src/lj_debug.c | 1 +
src/lj_dispatch.h | 2 +-
src/lj_err.c | 2 +-
src/lj_err.h | 2 +-
src/lj_trace.c | 4 ++--
src/vm_arm.dasc | 2 +-
src/vm_arm64.dasc | 3 +--
src/vm_mips.dasc | 5 ++---
src/vm_mips64.dasc | 5 ++---
src/vm_ppc.dasc | 3 +--
src/vm_x64.dasc | 4 +---
src/vm_x86.dasc | 4 +---
12 files changed, 15 insertions(+), 22 deletions(-)
diff --git a/src/lj_debug.c b/src/lj_debug.c
index 959dc28..e6780dc 100644
--- a/src/lj_debug.c
+++ b/src/lj_debug.c
@@ -93,6 +93,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
}
}
ins = cframe_pc(cf);
+ if (!ins) return NO_BCPOS;
}
}
pt = funcproto(fn);
diff --git a/src/lj_dispatch.h b/src/lj_dispatch.h
index 5bda51a..addf557 100644
--- a/src/lj_dispatch.h
+++ b/src/lj_dispatch.h
@@ -46,7 +46,7 @@ extern double __divdf3(double a, double b);
_(asin) _(acos) _(atan) _(sinh) _(cosh) _(tanh) _(frexp) _(modf) _(atan2) \
_(pow) _(fmod) _(ldexp) _(lj_vm_modi) \
_(lj_dispatch_call) _(lj_dispatch_ins) _(lj_dispatch_stitch) \
- _(lj_dispatch_profile) _(lj_err_throw) \
+ _(lj_dispatch_profile) _(lj_err_throw) _(lj_err_run) \
_(lj_ffh_coroutine_wrap_err) _(lj_func_closeuv) _(lj_func_newL_gc) \
_(lj_gc_barrieruv) _(lj_gc_step) _(lj_gc_step_fixtop) _(lj_meta_arith) \
_(lj_meta_call) _(lj_meta_cat) _(lj_meta_comp) _(lj_meta_equal) \
diff --git a/src/lj_err.c b/src/lj_err.c
index b520b3d..c310daf 100644
--- a/src/lj_err.c
+++ b/src/lj_err.c
@@ -602,7 +602,7 @@ static ptrdiff_t finderrfunc(lua_State *L)
}
/* Runtime error. */
-LJ_NOINLINE void lj_err_run(lua_State *L)
+LJ_NOINLINE void LJ_FASTCALL lj_err_run(lua_State *L)
{
ptrdiff_t ef = finderrfunc(L);
if (ef) {
diff --git a/src/lj_err.h b/src/lj_err.h
index cba5fb7..aa4b7e0 100644
--- a/src/lj_err.h
+++ b/src/lj_err.h
@@ -23,7 +23,7 @@ LJ_DATA const char *lj_err_allmsg;
LJ_FUNC GCstr *lj_err_str(lua_State *L, ErrMsg em);
LJ_FUNCA_NORET void LJ_FASTCALL lj_err_throw(lua_State *L, int errcode);
LJ_FUNC_NORET void lj_err_mem(lua_State *L);
-LJ_FUNC_NORET void lj_err_run(lua_State *L);
+LJ_FUNCA_NORET void LJ_FASTCALL lj_err_run(lua_State *L);
LJ_FUNC_NORET void lj_err_msg(lua_State *L, ErrMsg em);
LJ_FUNC_NORET void lj_err_lex(lua_State *L, GCstr *src, const char *tok,
BCLine line, ErrMsg em, va_list argp);
diff --git a/src/lj_trace.c b/src/lj_trace.c
index 797f010..07a6d6d 100644
--- a/src/lj_trace.c
+++ b/src/lj_trace.c
@@ -782,8 +782,8 @@ typedef struct ExitDataCP {
static TValue *trace_exit_cp(lua_State *L, lua_CFunction dummy, void *ud)
{
ExitDataCP *exd = (ExitDataCP *)ud;
- cframe_errfunc(L->cframe) = -1; /* Inherit error function. */
- /* Always catch error here. */
+ /* Always catch error here and don't call error function. */
+ cframe_errfunc(L->cframe) = 0;
cframe_nres(L->cframe) = -2*LUAI_MAXSTACK*(int)sizeof(TValue);
exd->pc = lj_snap_restore(exd->J, exd->exptr);
UNUSED(dummy);
diff --git a/src/vm_arm.dasc b/src/vm_arm.dasc
index 780cc16..5d686c5 100644
--- a/src/vm_arm.dasc
+++ b/src/vm_arm.dasc
@@ -2246,7 +2246,7 @@ static void build_subroutines(BuildCtx *ctx)
|9: // Rethrow error from the right C frame.
| rsb CARG2, CARG1, #0
| mov CARG1, L
- | bl extern lj_err_throw // (lua_State *L, int errcode)
+ | bl extern lj_err_run // (lua_State *L)
|.endif
|
|//-----------------------------------------------------------------------
diff --git a/src/vm_arm64.dasc b/src/vm_arm64.dasc
index 3eaf376..927f27d 100644
--- a/src/vm_arm64.dasc
+++ b/src/vm_arm64.dasc
@@ -2033,9 +2033,8 @@ static void build_subroutines(BuildCtx *ctx)
| b <2
|
|9: // Rethrow error from the right C frame.
- | neg CARG2, CARG1
| mov CARG1, L
- | bl extern lj_err_throw // (lua_State *L, int errcode)
+ | bl extern lj_err_run // (lua_State *L)
|.endif
|
|//-----------------------------------------------------------------------
diff --git a/src/vm_mips.dasc b/src/vm_mips.dasc
index 1afd611..b405ef4 100644
--- a/src/vm_mips.dasc
+++ b/src/vm_mips.dasc
@@ -2512,9 +2512,8 @@ static void build_subroutines(BuildCtx *ctx)
|. addu RA, RA, BASE
|
|9: // Rethrow error from the right C frame.
- | load_got lj_err_throw
- | negu CARG2, CRET1
- | call_intern lj_err_throw // (lua_State *L, int errcode)
+ | load_got lj_err_run
+ | call_intern lj_err_run // (lua_State *L)
|. move CARG1, L
|.endif
|
diff --git a/src/vm_mips64.dasc b/src/vm_mips64.dasc
index c06270a..59acc74 100644
--- a/src/vm_mips64.dasc
+++ b/src/vm_mips64.dasc
@@ -2470,9 +2470,8 @@ static void build_subroutines(BuildCtx *ctx)
|. daddu RA, RA, BASE
|
|9: // Rethrow error from the right C frame.
- | load_got lj_err_throw
- | negu CARG2, CRET1
- | call_intern lj_err_throw // (lua_State *L, int errcode)
+ | load_got lj_err_run
+ | call_intern lj_err_run // (lua_State *L)
|. move CARG1, L
|.endif
|
diff --git a/src/vm_ppc.dasc b/src/vm_ppc.dasc
index b4260eb..f8d3633 100644
--- a/src/vm_ppc.dasc
+++ b/src/vm_ppc.dasc
@@ -2706,9 +2706,8 @@ static void build_subroutines(BuildCtx *ctx)
| bctr
|
|9: // Rethrow error from the right C frame.
- | neg CARG2, CARG1
| mr CARG1, L
- | bl extern lj_err_throw // (lua_State *L, int errcode)
+ | bl extern lj_err_run // (lua_State *L)
|.endif
|
|//-----------------------------------------------------------------------
diff --git a/src/vm_x64.dasc b/src/vm_x64.dasc
index a003fb4..379af6d 100644
--- a/src/vm_x64.dasc
+++ b/src/vm_x64.dasc
@@ -2509,10 +2509,8 @@ static void build_subroutines(BuildCtx *ctx)
| jmp <2
|
|9: // Rethrow error from the right C frame.
- | neg RD
| mov CARG1, L:RB
- | mov CARG2, RD
- | call extern lj_err_throw // (lua_State *L, int errcode)
+ | call extern lj_err_run // (lua_State *L)
|.endif
|
|//-----------------------------------------------------------------------
diff --git a/src/vm_x86.dasc b/src/vm_x86.dasc
index 211ae7b..5ecb277 100644
--- a/src/vm_x86.dasc
+++ b/src/vm_x86.dasc
@@ -2960,10 +2960,8 @@ static void build_subroutines(BuildCtx *ctx)
| jmp <2
|
|9: // Rethrow error from the right C frame.
- | neg RD
| mov FCARG1, L:RB
- | mov FCARG2, RD
- | call extern lj_err_throw@8 // (lua_State *L, int errcode)
+ | call extern lj_err_run@4 // (lua_State *L)
|.endif
|
|//-----------------------------------------------------------------------
--
2.23.0

7
luajit.spec
View File

@ -2,12 +2,14 @@
Name: luajit Name: luajit
Version: 2.1.0 Version: 2.1.0
Release: 1 Release: 2
Summary: Just-In-Time Compiler for Lua Summary: Just-In-Time Compiler for Lua
License: MIT License: MIT
URL: http://luajit.org/ URL: http://luajit.org/
Source0: http://luajit.org/download/LuaJIT-2.1.0-beta3.tar.gz Source0: http://luajit.org/download/LuaJIT-2.1.0-beta3.tar.gz
Patch0: CVE-2020-15890.patch Patch0: CVE-2020-15890.patch
Patch1: CVE-2020-24372-1.patch
Patch2: CVE-2020-24372-2.patch
ExclusiveArch: %{arm} %{ix86} x86_64 %{mips} aarch64 ExclusiveArch: %{arm} %{ix86} x86_64 %{mips} aarch64
@ -72,6 +74,9 @@ ln -s luajit-2.1.0-beta3 %{buildroot}%{_bindir}/luajit
%{_mandir}/man1/%{name}.1* %{_mandir}/man1/%{name}.1*
%changelog %changelog
* Mon Feb 8 2021 zhanghua <zhanghua40@huawei.com> - 2.1.0-2
- fix CVE-2020-24372
* Mon Jan 11 2021 zhangatao <zhangtao221@huawei.com> - 2.1.0-1 * Mon Jan 11 2021 zhangatao <zhangtao221@huawei.com> - 2.1.0-1
- fix CVE-2020-15890 - fix CVE-2020-15890