From 2a9ff2581c790fecc840a3149665674373a04c58 Mon Sep 17 00:00:00 2001 From: Sergey Bronnikov Date: Fri, 14 Feb 2025 13:44:15 +0300 Subject: [PATCH 1/2] trophies: update --- CITATION.cff | 4 ++-- TROPHIES.md | 16 ++++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/CITATION.cff b/CITATION.cff index c56cfc26..066744c2 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -14,8 +14,8 @@ abstract: >- continuous fuzzing for Lua runtimes: PUC Rio Lua and LuaJIT. It aims to make these open-source software more secure and stable by combining modern fuzzing techniques with scalable, - distributed execution. As of August 2024, lua-c-api-tests has - helped identify and fix 5 bugs in PUC Rio Lua, 23 bugs in + distributed execution. As of April 2025, the project has + helped identify and fix 5 bugs in PUC Rio Lua, 26 bugs in LuaJIT, and 4 bugs in Tarantool. type: software repository-code: "https://github.com/ligurio/lua-c-api-tests" diff --git a/TROPHIES.md b/TROPHIES.md index bc530661..5591bc0f 100644 --- a/TROPHIES.md +++ b/TROPHIES.md @@ -10,10 +10,16 @@ https://marc.info/?l=lua-l&m=170274071304413&w=2 https://github.com/lua/lua/commit/5853c37a83ec66ccb45094f9aeac23dfdbcde671 1. "heap-use-after-free" issue in `luaV_finishget`, - https://groups.google.com/g/lua-l/c/s2hBcf8aLIU + https://groups.google.com/g/lua-l/c/s2hBcf8aLIU, + https://oss-fuzz.com/testcase-detail/5350818532360192, https://github.com/lua/lua/commit/88a50ffa715483e7187c0d7d6caaf708ebacf756 1. Assertion in `luaK_codeABCk`, - https://groups.google.com/g/lua-l/c/H0Iq-eAig94 + https://groups.google.com/g/lua-l/c/H0Iq-eAig94, + https://oss-fuzz.com/testcase-detail/5166379907481600 +1. An assertion is triggered in `lgc.c:freeobj()`, + https://groups.google.com/g/lua-l/c/CCpPLX1ug3A, + https://oss-fuzz.com/testcase-detail/6073198411579392, + https://github.com/lua/lua/commit/f9e35627ed26dff4114a1d01ff113d8b4cc91ab5 ### LuaJIT @@ -72,6 +78,12 @@ https://github.com/LuaJIT/LuaJIT/issues/1164 1. Incorrect narrowing for huge numbers, https://github.com/LuaJIT/LuaJIT/issues/1236 +1. Assertion failure when flushing already flushed trace, + https://github.com/LuaJIT/LuaJIT/issues/1345 +1. Read from already collected string data in case of the error in loadfile, + https://github.com/LuaJIT/LuaJIT/issues/1353 +1. JIT slots overflow for side-trace after up-recursion, + https://github.com/LuaJIT/LuaJIT/issues/1358 ### Tarantool From ad21c364eebf91ff7be3ccdc723d2fb6f5943e4a Mon Sep 17 00:00:00 2001 From: Sergey Bronnikov Date: Tue, 18 Mar 2025 21:27:40 +0300 Subject: [PATCH 2/2] readme: add known issues --- README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/README.md b/README.md index fdc861ba..afc46653 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,52 @@ cd build && RUNS=100000 ctest -R luaL_gsub_test --verbose - [Lua 5.2 Reference Manual: 4 – The Application Program Interface](https://www.lua.org/manual/5.2/manual.html#4) - [Lua 5.1 Reference Manual: 3 – The Application Program Interface](https://www.lua.org/manual/5.1/manual.html#3) +### Known Issues + +Fuzzing can find a wide variety of problems, but not all problems +are considered bugs. Some problems are due to known limitations in +the implementation. This section contains a list of such +limitations in LuaJIT and PUC Rio Lua: + +1. In LuaJIT, the build infrastructure includes a source code that + contains memory leaks and other problems. For example, + `src/host/buildvm.c` and `src/host/minilua.c`, these files are + only used during the LuaJIT build process, and they are not + a part of the LuaJIT itself. Memory leaks are suppressed in + AddressSanitizer with a function `__lsan_is_turned_off()` that + disallows leak checking for the program it is linked into. +1. In LuaJIT a function `lj_str_new()` may read past a buffer end + (so-called "dirty" read) and that's ok. Suppressed in + AddressSanitizer with `__attribute__((no_sanitize_address))`. +1. In LuaJIT, bytecode input is unsafe, see [LuaJIT#847][LuaJIT#847] + and [LuaJIT FAQ][LuaJIT FAQ]. The string "mode" controls + whether the chunk can be text or binary (that is, a precompiled + chunk). It may be the string "b" (only binary chunks), + "t" (only text chunks), or "bt" (both binary and text). The + default is "bt". PUC Rio Lua and LuaJIT both have bytecode and + Lua source code parsers. It is desired to test both + parsers; however, the LuaJIT bytecode parser failed with the + assertion: LuaJIT ASSERT `lj_bcread.c:123: bcread_byte: buffer + read overflow`, so with LuaJIT only text mode is used, and + therefore only the text parser is tested. +1. The `debug` library is defined as unsafe. There are tons of ways + to produce a crash with it. This library provides the functionality + of the debug interface to Lua programs. Several of its functions + violate basic assumptions about Lua code and therefore can + compromise otherwise secure code. See [LuaJIT#1264][LuaJIT#1264] + and [Lua 5.4 Reference Manual][refmanual54]. The `debug` + functions is not a subject of testing and these functions are + used carefully. +1. In LuaJIT there are a number of places with undefined behavior + ("nonnull-attribute", "signed-integer-overflow", "bounds"). + These problems remain unfixed and suppressed in + UndefinedBehavior Sanitizer. + +[LuaJIT#847]: https://github.com/LuaJIT/LuaJIT/issues/847 +[LuaJIT#1264]: https://github.com/LuaJIT/LuaJIT/issues/1264 +[LuaJIT FAQ]: https://luajit.org/faq.html#sandbox +[refmanual54]: https://www.lua.org/manual/5.4/manual.html#6.10 + ### License Copyright (C) 2022-2025 [Sergey Bronnikov](https://bronevichok.ru/),