Re: [oe] [kirkstone][meta-oe][PATCH] luajit: fix CVEs

[Changqing Li <changqing.li@windriver.com>]

[-- Attachment #1: Type: text/plain, Size: 5181 bytes --]

Please ignore this mail, I will send a V2 later.

Regards

Changqing

On 8/6/25 16:39, Changqing Li via lists.openembedded.org wrote:
> From: Changqing Li<changqing.li@windriver.com>
>
> fix CVE-2024-25176, CVE-2024-25177
>
> Signed-off-by: Changqing Li<changqing.li@windriver.com>
> ---
>   .../luajit/luajit/CVE-2024-25176.patch        | 32 ++++++++++++++
>   .../luajit/luajit/CVE-2024-25177.patch        | 44 +++++++++++++++++++
>   meta-oe/recipes-devtools/luajit/luajit_git.bb |  2 +
>   3 files changed, 78 insertions(+)
>   create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
>   create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
>
> diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
> new file mode 100644
> index 0000000000..7dba4e8239
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
> @@ -0,0 +1,32 @@
> +From 810bf18ff0ddbae9b2ceb30dd8b9c901cc634d1f Mon Sep 17 00:00:00 2001
> +From: Changqing Li<changqing.li@windriver.com>
> +Date: Tue, 5 Aug 2025 14:49:06 +0800
> +Subject: [PATCH] Fix zero stripping in %g number formatting.
> +
> +Reported by pwnhacker0x18. #1149
> +
> +CVE: CVE-2024-25176
> +Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc]
> +
> +Signed-off-by: Changqing Li<changqing.li@windriver.com>
> +---
> + src/lj_strfmt_num.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
> +index 3c60695c..41214894 100644
> +--- a/src/lj_strfmt_num.c
> ++++ b/src/lj_strfmt_num.c
> +@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
> + 	    prec--;
> + 	    if (!i) {
> + 	      if (ndlo == ndhi) { prec = 0; break; }
> +-	      lj_strfmt_wuint9(tail, nd[++ndlo]);
> ++	      ndlo = (ndlo + 1) & 0x3f;
> ++	      lj_strfmt_wuint9(tail, nd[ndlo]);
> + 	      i = 9;
> + 	    }
> + 	  }
> +--
> +2.34.1
> +
> diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
> new file mode 100644
> index 0000000000..73ad9837aa
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
> @@ -0,0 +1,44 @@
> +From c8421200e9accf5a10a52768bb3dca2f555bd092 Mon Sep 17 00:00:00 2001
> +From: Changqing Li<changqing.li@windriver.com>
> +Date: Tue, 5 Aug 2025 15:05:07 +0800
> +Subject: [PATCH] Fix unsinking of IR_FSTORE for NULL metatable.
> +
> +Reported by pwnhacker0x18. #1147
> +
> +CVE: CVE-2024-25177
> +Upstream-Status: Backport [https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f]
> +
> +Signed-off-by: Changqing Li<changqing.li@windriver.com>
> +---
> + src/lj_snap.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/src/lj_snap.c b/src/lj_snap.c
> +index 4140fdb7..d7027875 100644
> +--- a/src/lj_snap.c
> ++++ b/src/lj_snap.c
> +@@ -453,6 +453,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
> +   case IR_KNUM: case IR_KINT64:
> +     return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
> +   case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir));  /* Continuation. */
> ++  case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
> +   default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
> +   }
> + }
> +@@ -882,9 +883,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
> + 	if (irk->o == IR_FREF) {
> + 	  lj_assertJ(irk->op2 == IRFL_TAB_META,
> + 		     "sunk store with bad field %d", irk->op2);
> ++	if (T->ir[irs->op2].o == IR_KNULL) {
> ++	  setgcrefnull(t->metatable);
> ++	} else {
> + 	  snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
> + 	  /* NOBARRIER: The table is new (marked white). */
> + 	  setgcref(t->metatable, obj2gco(tabV(&tmp)));
> ++	}
> + 	} else {
> + 	  irk = &T->ir[irk->op2];
> + 	  if (irk->o == IR_KSLOT) irk = &T->ir[irk->op1];
> +--
> +2.34.1
> +
> diff --git a/meta-oe/recipes-devtools/luajit/luajit_git.bb b/meta-oe/recipes-devtools/luajit/luajit_git.bb
> index 3f3939eeb4..52126d2790 100644
> --- a/meta-oe/recipes-devtools/luajit/luajit_git.bb
> +++ b/meta-oe/recipes-devtools/luajit/luajit_git.bb
> @@ -6,6 +6,8 @@ HOMEPAGE ="http://luajit.org"
>   SRC_URI = "git://luajit.org/git/luajit-2.0.git;protocol=http;branch=v2.1 \
>              file://0001-Do-not-strip-automatically-this-leaves-the-stripping.patch \
>              file://clang.patch \
> +file://CVE-2024-25176.patch \
> +file://CVE-2024-25177.patch \
>              "
>   
>   # Set PV to a version tag and date (YYMMDD) associated with SRCREV if it is later.
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#118890):https://lists.openembedded.org/g/openembedded-devel/message/118890
> Mute This Topic:https://lists.openembedded.org/mt/114562825/3616873
> Group Owner:openembedded-devel+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-devel/unsub [changqing.li@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

[-- Attachment #2: Type: text/html, Size: 7251 bytes --]