* Re: [oe] [kirkstone][meta-oe][PATCH] luajit: fix CVEs
[not found] <185920C7B2EC82CE.26265@lists.openembedded.org>
@ 2025-08-06 9:39 ` Changqing Li
0 siblings, 0 replies; only message in thread
From: Changqing Li @ 2025-08-06 9:39 UTC (permalink / raw)
To: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 5181 bytes --]
Please ignore this mail, I will send a V2 later.
Regards
Changqing
On 8/6/25 16:39, Changqing Li via lists.openembedded.org wrote:
> From: Changqing Li<changqing.li@windriver.com>
>
> fix CVE-2024-25176, CVE-2024-25177
>
> Signed-off-by: Changqing Li<changqing.li@windriver.com>
> ---
> .../luajit/luajit/CVE-2024-25176.patch | 32 ++++++++++++++
> .../luajit/luajit/CVE-2024-25177.patch | 44 +++++++++++++++++++
> meta-oe/recipes-devtools/luajit/luajit_git.bb | 2 +
> 3 files changed, 78 insertions(+)
> create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
> create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
>
> diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
> new file mode 100644
> index 0000000000..7dba4e8239
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
> @@ -0,0 +1,32 @@
> +From 810bf18ff0ddbae9b2ceb30dd8b9c901cc634d1f Mon Sep 17 00:00:00 2001
> +From: Changqing Li<changqing.li@windriver.com>
> +Date: Tue, 5 Aug 2025 14:49:06 +0800
> +Subject: [PATCH] Fix zero stripping in %g number formatting.
> +
> +Reported by pwnhacker0x18. #1149
> +
> +CVE: CVE-2024-25176
> +Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc]
> +
> +Signed-off-by: Changqing Li<changqing.li@windriver.com>
> +---
> + src/lj_strfmt_num.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
> +index 3c60695c..41214894 100644
> +--- a/src/lj_strfmt_num.c
> ++++ b/src/lj_strfmt_num.c
> +@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
> + prec--;
> + if (!i) {
> + if (ndlo == ndhi) { prec = 0; break; }
> +- lj_strfmt_wuint9(tail, nd[++ndlo]);
> ++ ndlo = (ndlo + 1) & 0x3f;
> ++ lj_strfmt_wuint9(tail, nd[ndlo]);
> + i = 9;
> + }
> + }
> +--
> +2.34.1
> +
> diff --git a/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
> new file mode 100644
> index 0000000000..73ad9837aa
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
> @@ -0,0 +1,44 @@
> +From c8421200e9accf5a10a52768bb3dca2f555bd092 Mon Sep 17 00:00:00 2001
> +From: Changqing Li<changqing.li@windriver.com>
> +Date: Tue, 5 Aug 2025 15:05:07 +0800
> +Subject: [PATCH] Fix unsinking of IR_FSTORE for NULL metatable.
> +
> +Reported by pwnhacker0x18. #1147
> +
> +CVE: CVE-2024-25177
> +Upstream-Status: Backport [https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f]
> +
> +Signed-off-by: Changqing Li<changqing.li@windriver.com>
> +---
> + src/lj_snap.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/src/lj_snap.c b/src/lj_snap.c
> +index 4140fdb7..d7027875 100644
> +--- a/src/lj_snap.c
> ++++ b/src/lj_snap.c
> +@@ -453,6 +453,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
> + case IR_KNUM: case IR_KINT64:
> + return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
> + case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir)); /* Continuation. */
> ++ case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
> + default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
> + }
> + }
> +@@ -882,9 +883,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
> + if (irk->o == IR_FREF) {
> + lj_assertJ(irk->op2 == IRFL_TAB_META,
> + "sunk store with bad field %d", irk->op2);
> ++ if (T->ir[irs->op2].o == IR_KNULL) {
> ++ setgcrefnull(t->metatable);
> ++ } else {
> + snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
> + /* NOBARRIER: The table is new (marked white). */
> + setgcref(t->metatable, obj2gco(tabV(&tmp)));
> ++ }
> + } else {
> + irk = &T->ir[irk->op2];
> + if (irk->o == IR_KSLOT) irk = &T->ir[irk->op1];
> +--
> +2.34.1
> +
> diff --git a/meta-oe/recipes-devtools/luajit/luajit_git.bb b/meta-oe/recipes-devtools/luajit/luajit_git.bb
> index 3f3939eeb4..52126d2790 100644
> --- a/meta-oe/recipes-devtools/luajit/luajit_git.bb
> +++ b/meta-oe/recipes-devtools/luajit/luajit_git.bb
> @@ -6,6 +6,8 @@ HOMEPAGE ="http://luajit.org"
> SRC_URI = "git://luajit.org/git/luajit-2.0.git;protocol=http;branch=v2.1 \
> file://0001-Do-not-strip-automatically-this-leaves-the-stripping.patch \
> file://clang.patch \
> +file://CVE-2024-25176.patch \
> +file://CVE-2024-25177.patch \
> "
>
> # Set PV to a version tag and date (YYMMDD) associated with SRCREV if it is later.
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#118890):https://lists.openembedded.org/g/openembedded-devel/message/118890
> Mute This Topic:https://lists.openembedded.org/mt/114562825/3616873
> Group Owner:openembedded-devel+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-devel/unsub [changqing.li@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
[-- Attachment #2: Type: text/html, Size: 7251 bytes --]
^ permalink raw reply [flat|nested] only message in thread