Please ignore this mail, I will send a V2 later.

Regards

Changqing

On 8/6/25 16:39, Changqing Li via lists.openembedded.org wrote:

From: Changqing Li <changqing.li@windriver.com>

fix CVE-2024-25176, CVE-2024-25177

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 .../luajit/luajit/CVE-2024-25176.patch        | 32 ++++++++++++++
 .../luajit/luajit/CVE-2024-25177.patch        | 44 +++++++++++++++++++
 meta-oe/recipes-devtools/luajit/luajit_git.bb |  2 +
 3 files changed, 78 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
 create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch

diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
new file mode 100644
index 0000000000..7dba4e8239
--- /dev/null
+++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
@@ -0,0 +1,32 @@
+From 810bf18ff0ddbae9b2ceb30dd8b9c901cc634d1f Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 5 Aug 2025 14:49:06 +0800
+Subject: [PATCH] Fix zero stripping in %g number formatting.
+
+Reported by pwnhacker0x18. #1149
+
+CVE: CVE-2024-25176
+Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_strfmt_num.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
+index 3c60695c..41214894 100644
+--- a/src/lj_strfmt_num.c
++++ b/src/lj_strfmt_num.c
+@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
+ 	    prec--;
+ 	    if (!i) {
+ 	      if (ndlo == ndhi) { prec = 0; break; }
+-	      lj_strfmt_wuint9(tail, nd[++ndlo]);
++	      ndlo = (ndlo + 1) & 0x3f;
++	      lj_strfmt_wuint9(tail, nd[ndlo]);
+ 	      i = 9;
+ 	    }
+ 	  }
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
new file mode 100644
index 0000000000..73ad9837aa
--- /dev/null
+++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
@@ -0,0 +1,44 @@
+From c8421200e9accf5a10a52768bb3dca2f555bd092 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 5 Aug 2025 15:05:07 +0800
+Subject: [PATCH] Fix unsinking of IR_FSTORE for NULL metatable.
+
+Reported by pwnhacker0x18. #1147
+
+CVE: CVE-2024-25177
+Upstream-Status: Backport [https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_snap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/lj_snap.c b/src/lj_snap.c
+index 4140fdb7..d7027875 100644
+--- a/src/lj_snap.c
++++ b/src/lj_snap.c
+@@ -453,6 +453,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
+   case IR_KNUM: case IR_KINT64:
+     return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
+   case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir));  /* Continuation. */
++  case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
+   default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
+   }
+ }
+@@ -882,9 +883,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
+ 	if (irk->o == IR_FREF) {
+ 	  lj_assertJ(irk->op2 == IRFL_TAB_META,
+ 		     "sunk store with bad field %d", irk->op2);
++	if (T->ir[irs->op2].o == IR_KNULL) {
++	  setgcrefnull(t->metatable);
++	} else {
+ 	  snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
+ 	  /* NOBARRIER: The table is new (marked white). */
+ 	  setgcref(t->metatable, obj2gco(tabV(&tmp)));
++	}
+ 	} else {
+ 	  irk = &T->ir[irk->op2];
+ 	  if (irk->o == IR_KSLOT) irk = &T->ir[irk->op1];
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-devtools/luajit/luajit_git.bb b/meta-oe/recipes-devtools/luajit/luajit_git.bb
index 3f3939eeb4..52126d2790 100644
--- a/meta-oe/recipes-devtools/luajit/luajit_git.bb
+++ b/meta-oe/recipes-devtools/luajit/luajit_git.bb
@@ -6,6 +6,8 @@ HOMEPAGE = "http://luajit.org"
 SRC_URI = "git://luajit.org/git/luajit-2.0.git;protocol=http;branch=v2.1 \
            file://0001-Do-not-strip-automatically-this-leaves-the-stripping.patch \
            file://clang.patch \
+           file://CVE-2024-25176.patch \
+           file://CVE-2024-25177.patch \
            "
 
 # Set PV to a version tag and date (YYMMDD) associated with SRCREV if it is later.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#118890): https://lists.openembedded.org/g/openembedded-devel/message/118890
Mute This Topic: https://lists.openembedded.org/mt/114562825/3616873
Group Owner: openembedded-devel+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [changqing.li@windriver.com]
-=-=-=-=-=-=-=-=-=-=-=-