From ac525c772c8758e0883bf61674f299c6fec936b5 Mon Sep 17 00:00:00 2001 From: Sergey Bronnikov Date: Wed, 23 Apr 2025 18:27:52 +0300 Subject: [PATCH 1/2] trophies: update tarantool issues --- CITATION.cff | 2 +- TROPHIES.md | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CITATION.cff b/CITATION.cff index 066744c2..d8fe3277 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -16,7 +16,7 @@ abstract: >- stable by combining modern fuzzing techniques with scalable, distributed execution. As of April 2025, the project has helped identify and fix 5 bugs in PUC Rio Lua, 26 bugs in - LuaJIT, and 4 bugs in Tarantool. + LuaJIT, and 6 bugs in Tarantool. type: software repository-code: "https://github.com/ligurio/lua-c-api-tests" keywords: diff --git a/TROPHIES.md b/TROPHIES.md index 5591bc0f..9add9e04 100644 --- a/TROPHIES.md +++ b/TROPHIES.md @@ -96,6 +96,12 @@ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57435 1. Recording of `__concat` in GC64 mode, https://github.com/LuaJIT/LuaJIT/issues/839 +1. Heap buffer overflow in the `lj_strfmt_pushvf` on stack overflow, + https://issues.oss-fuzz.com/issues/394126186, + https://github.com/tarantool/security/issues/143 +1. `IR_NEWREF` is missing a NaN check, + https://issues.oss-fuzz.com/issues/42529868 + https://github.com/LuaJIT/LuaJIT/issues/1069 ### Related issues From 13395b474ca8223b482a546839cdbe946889459a Mon Sep 17 00:00:00 2001 From: Sergey Bronnikov Date: Tue, 6 May 2025 16:42:27 +0300 Subject: [PATCH 2/2] readme: update known issues - Fixed typos. - Added a note regarding C declarations parser. --- README.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index afc46653..fd170d14 100644 --- a/README.md +++ b/README.md @@ -80,10 +80,10 @@ limitations in LuaJIT and PUC Rio Lua: a part of the LuaJIT itself. Memory leaks are suppressed in AddressSanitizer with a function `__lsan_is_turned_off()` that disallows leak checking for the program it is linked into. -1. In LuaJIT a function `lj_str_new()` may read past a buffer end - (so-called "dirty" read) and that's ok. Suppressed in +1. In LuaJIT, a function `lj_str_new()` may read past a buffer end + (so-called "dirty" read), and that's ok. Suppressed in AddressSanitizer with `__attribute__((no_sanitize_address))`. -1. In LuaJIT, bytecode input is unsafe, see [LuaJIT#847][LuaJIT#847] +1. In LuaJIT, bytecode input is unsafe; see [LuaJIT#847][LuaJIT#847] and [LuaJIT FAQ][LuaJIT FAQ]. The string "mode" controls whether the chunk can be text or binary (that is, a precompiled chunk). It may be the string "b" (only binary chunks), @@ -100,12 +100,16 @@ limitations in LuaJIT and PUC Rio Lua: violate basic assumptions about Lua code and therefore can compromise otherwise secure code. See [LuaJIT#1264][LuaJIT#1264] and [Lua 5.4 Reference Manual][refmanual54]. The `debug` - functions is not a subject of testing and these functions are + functions are not a subject of testing, and these functions are used carefully. -1. In LuaJIT there are a number of places with undefined behavior +1. In LuaJIT, there are a number of places with undefined behavior ("nonnull-attribute", "signed-integer-overflow", "bounds"). These problems remain unfixed and suppressed in UndefinedBehavior Sanitizer. +1. In LuaJIT, there is a minimal C declaration parser, and it is not + a validating C parser: "The parser ought to return correct + results for properly formed C declarations, but it may accept + some invalid declarations, too (and return nonsense)". [LuaJIT#847]: https://github.com/LuaJIT/LuaJIT/issues/847 [LuaJIT#1264]: https://github.com/LuaJIT/LuaJIT/issues/1264