NetBSD Problem Report #52226
From www@NetBSD.org Thu May 11 18:18:13 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id E44E07A1B9
for <gnats-bugs@gnats.NetBSD.org>; Thu, 11 May 2017 18:18:13 +0000 (UTC)
Message-Id: <20170511181812.B52A87A2AB@mollari.NetBSD.org>
Date: Thu, 11 May 2017 18:18:12 +0000 (UTC)
From: alexander@mihalicyn.com
Reply-To: alexander@mihalicyn.com
To: gnats-bugs@NetBSD.org
Subject: Freeze (infinite loop) in kernel on double lua module require
X-Send-Pr-Version: www-1.0
>Number: 52226
>Category: kern
>Synopsis: Freeze (infinite loop) in kernel on double lua module require
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu May 11 18:20:00 +0000 2017
>Closed-Date: Sat May 20 08:32:21 +0000 2017
>Last-Modified: Sun Jul 23 06:05:01 +0000 2017
>Originator: Alexander Mihalicyn
>Release: 7.1
>Organization:
>Environment:
NetBSD netbsd 7.1 NetBSD 7.1 (GENERIC.201703111743Z) i386
>Description:
Problem with not checking that lua module already required and module loading two times. After that we got a list structure corrupted (one of the node pointing to itself). If we iterate over that list we got infinite loop in kernel...
Take a look on https://github.com/IIJ-NetBSD/netbsd-src/blob/master/sys/modules/lua/lua.c (function lua_require(lua_State *L)).
If we try to double require lua module we got a list with node pointing to itself:
line 524:
LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
Before this line we need to check, that our module not loaded yet.
>How-To-Repeat:
Possible exploitation is very simple:
/root/test.lua:
systm = require 'systm'
execute commands:
luactl create s1
luactl load s1 /root/test.lua
luactl load s1 /root/test.lua
luactl destroy s1
Houston, we have a problem!
Thanks to lneto (lneto@NetBSD.org) for help and support ;)
>Fix:
--- a/sys/modules/lua/lua.c
+++ b/sys/modules/lua/lua.c
@@ -487,8 +487,21 @@ lua_require(lua_State *L)
device_printf(sc_self,
"require module %s\n",
md->mod_name);
+
+ /* add module to loaded list in state */
luaL_requiref(L, md->mod_name, md->open, 0);
+ /* check that module not loaded yet before increasing refcount and adding to state modules list */
+ LIST_FOREACH(m, &s->lua_modules, mod_next)
+ if (m == md) {
+ if (lua_verbose)
+ device_printf(sc_self,
+ "required module %s already loaded\n",
+ m->mod_name);
+
+ return 1;
+ }
+
md->refcount++;
LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
return 1;
>Release-Note:
>Audit-Trail:
From: Marc Balmer <marc@msys.ch>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua module
require
Date: Thu, 11 May 2017 21:19:44 +0200
As lneto helped with the fix, will he commit it?
Am 11.05.17 um 20:20 schrieb alexander@mihalicyn.com:
>> Number: 52226
>> Category: kern
>> Synopsis: Freeze (infinite loop) in kernel on double lua module require
>> Confidential: no
>> Severity: serious
>> Priority: medium
>> Responsible: kern-bug-people
>> State: open
>> Class: sw-bug
>> Submitter-Id: net
>> Arrival-Date: Thu May 11 18:20:00 +0000 2017
>> Originator: Alexander Mihalicyn
>> Release: 7.1
>> Organization:
>> Environment:
> NetBSD netbsd 7.1 NetBSD 7.1 (GENERIC.201703111743Z) i386
>> Description:
> Problem with not checking that lua module already required and module loading two times. After that we got a list structure corrupted (one of the node pointing to itself). If we iterate over that list we got infinite loop in kernel...
>
> Take a look on https://github.com/IIJ-NetBSD/netbsd-src/blob/master/sys/modules/lua/lua.c (function lua_require(lua_State *L)).
>
> If we try to double require lua module we got a list with node pointing to itself:
> line 524:
> LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
>
> Before this line we need to check, that our module not loaded yet.
>> How-To-Repeat:
> Possible exploitation is very simple:
> /root/test.lua:
> systm = require 'systm'
>
> execute commands:
> luactl create s1
> luactl load s1 /root/test.lua
> luactl load s1 /root/test.lua
> luactl destroy s1
>
> Houston, we have a problem!
>
> Thanks to lneto (lneto@NetBSD.org) for help and support ;)
>> Fix:
> --- a/sys/modules/lua/lua.c
> +++ b/sys/modules/lua/lua.c
> @@ -487,8 +487,21 @@ lua_require(lua_State *L)
> device_printf(sc_self,
> "require module %s\n",
> md->mod_name);
> +
> + /* add module to loaded list in state */
> luaL_requiref(L, md->mod_name, md->open, 0);
>
> + /* check that module not loaded yet before increasing refcount and adding to state modules list */
> + LIST_FOREACH(m, &s->lua_modules, mod_next)
> + if (m == md) {
> + if (lua_verbose)
> + device_printf(sc_self,
> + "required module %s already loaded\n",
> + m->mod_name);
> +
> + return 1;
> + }
> +
> md->refcount++;
> LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
> return 1;
>
From: Alexander Mihalicyn <alexander@mihalicyn.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua module require
Date: Thu, 11 May 2017 22:43:01 +0300
--94eb2c0b9ba2226d5f054f44cd5b
Content-Type: text/plain; charset="UTF-8"
Dear Marc Balmer,
We discuss about this problem with Lourival more than month ago. I checked
that fix not applied to current source tree and report about problem with
patch. ;)
Regards,
Alexander
On Thu, May 11, 2017 at 10:20 PM, Marc Balmer <marc@msys.ch> wrote:
> The following reply was made to PR kern/52226; it has been noted by GNATS.
>
> From: Marc Balmer <marc@msys.ch>
> To: gnats-bugs@NetBSD.org
> Cc:
> Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua
> module
> require
> Date: Thu, 11 May 2017 21:19:44 +0200
>
> As lneto helped with the fix, will he commit it?
>
> Am 11.05.17 um 20:20 schrieb alexander@mihalicyn.com:
> >> Number: 52226
> >> Category: kern
> >> Synopsis: Freeze (infinite loop) in kernel on double lua module
> require
> >> Confidential: no
> >> Severity: serious
> >> Priority: medium
> >> Responsible: kern-bug-people
> >> State: open
> >> Class: sw-bug
> >> Submitter-Id: net
> >> Arrival-Date: Thu May 11 18:20:00 +0000 2017
> >> Originator: Alexander Mihalicyn
> >> Release: 7.1
> >> Organization:
> >> Environment:
> > NetBSD netbsd 7.1 NetBSD 7.1 (GENERIC.201703111743Z) i386
> >> Description:
> > Problem with not checking that lua module already required and module
> loading two times. After that we got a list structure corrupted (one of the
> node pointing to itself). If we iterate over that list we got infinite loop
> in kernel...
> >
> > Take a look on https://github.com/IIJ-NetBSD/
> netbsd-src/blob/master/sys/modules/lua/lua.c (function
> lua_require(lua_State *L)).
> >
> > If we try to double require lua module we got a list with node pointing
> to itself:
> > line 524:
> > LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
> >
> > Before this line we need to check, that our module not loaded yet.
> >> How-To-Repeat:
> > Possible exploitation is very simple:
> > /root/test.lua:
> > systm = require 'systm'
> >
> > execute commands:
> > luactl create s1
> > luactl load s1 /root/test.lua
> > luactl load s1 /root/test.lua
> > luactl destroy s1
> >
> > Houston, we have a problem!
> >
> > Thanks to lneto (lneto@NetBSD.org) for help and support ;)
> >> Fix:
> > --- a/sys/modules/lua/lua.c
> > +++ b/sys/modules/lua/lua.c
> > @@ -487,8 +487,21 @@ lua_require(lua_State *L)
> > device_printf(sc_self,
> > "require module %s\n",
> > md->mod_name);
> > +
> > + /* add module to loaded list in state */
> > luaL_requiref(L, md->mod_name, md->open,
> 0);
> >
> > + /* check that module not loaded yet before
> increasing refcount and adding to state modules list */
> > + LIST_FOREACH(m, &s->lua_modules, mod_next)
> > + if (m == md) {
> > + if (lua_verbose)
> > +
> device_printf(sc_self,
> > + "required
> module %s already loaded\n",
> > +
> m->mod_name);
> > +
> > + return 1;
> > + }
> > +
> > md->refcount++;
> > LIST_INSERT_HEAD(&s->lua_modules, md,
> mod_next);
> > return 1;
> >
>
>
--94eb2c0b9ba2226d5f054f44cd5b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div><div><div><div>Dear Marc Balmer,<br></div><br></div>W=
e discuss about this problem with Lourival more than month ago. I checked t=
hat fix not applied to current source tree and report about problem with pa=
tch. ;)<br><br></div>Regards,<br></div>Alexander<br><div><div><div><div><di=
v><div><div><div><div><div class=3D"gmail_extra"><br><div class=3D"gmail_qu=
ote">On Thu, May 11, 2017 at 10:20 PM, Marc Balmer <span dir=3D"ltr"><<a=
href=3D"mailto:marc@msys.ch" target=3D"_blank">marc@msys.ch</a>></span>=
wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bor=
der-left:1px #ccc solid;padding-left:1ex">The following reply was made to P=
R kern/52226; it has been noted by GNATS.<br>
<br>
From: Marc Balmer <<a href=3D"mailto:marc@msys.ch">marc@msys.ch</a>><=
br>
To: gnats-bugs@NetBSD.org<br>
Cc:<br>
Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua mod=
ule<br>
=C2=A0require<br>
Date: Thu, 11 May 2017 21:19:44 +0200<br>
<br>
=C2=A0As lneto helped with the fix, will he commit it?<br>
<br>
=C2=A0Am 11.05.17 um 20:20 schrieb <a href=3D"mailto:alexander@mihalicyn.co=
m">alexander@mihalicyn.com</a>:<br>
=C2=A0>> Number:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A052226<br>
=C2=A0>> Category:=C2=A0 =C2=A0 =C2=A0 =C2=A0kern<br>
=C2=A0>> Synopsis:=C2=A0 =C2=A0 =C2=A0 =C2=A0Freeze (infinite loop) i=
n kernel on double lua module require<br>
=C2=A0>> Confidential:=C2=A0 =C2=A0no<br>
=C2=A0>> Severity:=C2=A0 =C2=A0 =C2=A0 =C2=A0serious<br>
=C2=A0>> Priority:=C2=A0 =C2=A0 =C2=A0 =C2=A0medium<br>
=C2=A0>> Responsible:=C2=A0 =C2=A0 kern-bug-people<br>
=C2=A0>> State:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 open<br>
=C2=A0>> Class:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 sw-bug<br>
=C2=A0>> Submitter-Id:=C2=A0 =C2=A0net<br>
=C2=A0>> Arrival-Date:=C2=A0 =C2=A0Thu May 11 18:20:00 +0000 2017<br>
=C2=A0>> Originator:=C2=A0 =C2=A0 =C2=A0Alexander Mihalicyn<br>
=C2=A0>> Release:=C2=A0 =C2=A0 =C2=A0 =C2=A0 7.1<br>
=C2=A0>> Organization:<br>
=C2=A0>> Environment:<br>
=C2=A0> NetBSD netbsd 7.1 NetBSD 7.1 (GENERIC.201703111743Z) i386<br>
=C2=A0>> Description:<br>
=C2=A0> Problem with not checking that lua module already required and m=
odule loading two times. After that we got a list structure corrupted (one =
of the node pointing to itself). If we iterate over that list we got infini=
te loop in kernel...<br>
=C2=A0><br>
=C2=A0> Take a look on <a href=3D"https://github.com/IIJ-NetBSD/netbsd-s=
rc/blob/master/sys/modules/lua/lua.c" rel=3D"noreferrer" target=3D"_blank">=
https://github.com/IIJ-NetBSD/<wbr>netbsd-src/blob/master/sys/<wbr>modules/=
lua/lua.c</a> (function lua_require(lua_State *L)).<br>
=C2=A0><br>
=C2=A0> If we try to double require lua module we got a list with node p=
ointing to itself:<br>
=C2=A0> line 524:<br>
=C2=A0> LIST_INSERT_HEAD(&s->lua_<wbr>modules, md, mod_next);<br>
=C2=A0><br>
=C2=A0> Before this line we need to check, that our module not loaded ye=
t.<br>
=C2=A0>> How-To-Repeat:<br>
=C2=A0> Possible exploitation is very simple:<br>
=C2=A0> /root/test.lua:<br>
=C2=A0> systm =3D require 'systm'<br>
=C2=A0><br>
=C2=A0> execute commands:<br>
=C2=A0> luactl create s1<br>
=C2=A0> luactl load s1 /root/test.lua<br>
=C2=A0> luactl load s1 /root/test.lua<br>
=C2=A0> luactl destroy s1<br>
=C2=A0><br>
=C2=A0> Houston, we have a problem!<br>
=C2=A0><br>
=C2=A0> Thanks to lneto (lneto@NetBSD.org) for help and support ;)<br>
=C2=A0>> Fix:<br>
=C2=A0> --- a/sys/modules/lua/lua.c<br>
=C2=A0> +++ b/sys/modules/lua/lua.c<br>
=C2=A0> @@ -487,8 +487,21 @@ lua_require(lua_State *L)<br>
=C2=A0>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 devic=
e_printf(sc_self,<br>
=C2=A0>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 "require module %s\n",<br>
=C2=A0>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 md->mod_name);<br>
=C2=A0> +<br>
=C2=A0> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 /* add module to loaded list in state */=
<br>
=C2=A0>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 luaL_requiref(L, md->mod_name,=
md->open, 0);<br>
=C2=A0><br>
=C2=A0> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 /* check that module not loaded yet befo=
re increasing refcount and adding to state modules list */<br>
=C2=A0> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 LIST_FOREACH(m, &s->lua_modules, =
mod_next)<br>
=C2=A0> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (m =3D=3D=
md) {<br>
=C2=A0> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 if (lua_verbose)<br>
=C2=A0> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 device_printf(sc_self,<br>
=C2=A0> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 &=
quot;required module %s already loaded\n",<br>
=C2=A0> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 m=
->mod_name);<br>
=C2=A0> +<br>
=C2=A0> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 return 1;<br>
=C2=A0> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 }<br>
=C2=A0> +<br>
=C2=A0>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 md->refcount++;<br>
=C2=A0>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 LIST_INSERT_HEAD(&s->lua_<=
wbr>modules, md, mod_next);<br>
=C2=A0> return 1;<br>
=C2=A0><br>
<br>
</blockquote></div><br></div></div></div></div></div></div></div></div></di=
v></div></div>
--94eb2c0b9ba2226d5f054f44cd5b--
From: Alexander Mihalicyn <alexander@mihalicyn.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua module require
Date: Thu, 11 May 2017 22:48:12 +0300
Dear Marc Balmer,
We discuss about this problem with Lourival more than month ago. I
checked that fix not applied to current source tree and report about
problem with patch. ;)
(I'm sorry for previous HTML reply :( )
Regards,
Alexander
On Thu, May 11, 2017 at 10:20 PM, Marc Balmer <marc@msys.ch> wrote:
> The following reply was made to PR kern/52226; it has been noted by GNATS.
>
> From: Marc Balmer <marc@msys.ch>
> To: gnats-bugs@NetBSD.org
> Cc:
> Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua module
> require
> Date: Thu, 11 May 2017 21:19:44 +0200
>
> As lneto helped with the fix, will he commit it?
>
> Am 11.05.17 um 20:20 schrieb alexander@mihalicyn.com:
> >> Number: 52226
> >> Category: kern
> >> Synopsis: Freeze (infinite loop) in kernel on double lua module require
> >> Confidential: no
> >> Severity: serious
> >> Priority: medium
> >> Responsible: kern-bug-people
> >> State: open
> >> Class: sw-bug
> >> Submitter-Id: net
> >> Arrival-Date: Thu May 11 18:20:00 +0000 2017
> >> Originator: Alexander Mihalicyn
> >> Release: 7.1
> >> Organization:
> >> Environment:
> > NetBSD netbsd 7.1 NetBSD 7.1 (GENERIC.201703111743Z) i386
> >> Description:
> > Problem with not checking that lua module already required and module loading two times. After that we got a list structure corrupted (one of the node pointing to itself). If we iterate over that list we got infinite loop in kernel...
> >
> > Take a look on https://github.com/IIJ-NetBSD/netbsd-src/blob/master/sys/modules/lua/lua.c (function lua_require(lua_State *L)).
> >
> > If we try to double require lua module we got a list with node pointing to itself:
> > line 524:
> > LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
> >
> > Before this line we need to check, that our module not loaded yet.
> >> How-To-Repeat:
> > Possible exploitation is very simple:
> > /root/test.lua:
> > systm = require 'systm'
> >
> > execute commands:
> > luactl create s1
> > luactl load s1 /root/test.lua
> > luactl load s1 /root/test.lua
> > luactl destroy s1
> >
> > Houston, we have a problem!
> >
> > Thanks to lneto (lneto@NetBSD.org) for help and support ;)
> >> Fix:
> > --- a/sys/modules/lua/lua.c
> > +++ b/sys/modules/lua/lua.c
> > @@ -487,8 +487,21 @@ lua_require(lua_State *L)
> > device_printf(sc_self,
> > "require module %s\n",
> > md->mod_name);
> > +
> > + /* add module to loaded list in state */
> > luaL_requiref(L, md->mod_name, md->open, 0);
> >
> > + /* check that module not loaded yet before increasing refcount and adding to state modules list */
> > + LIST_FOREACH(m, &s->lua_modules, mod_next)
> > + if (m == md) {
> > + if (lua_verbose)
> > + device_printf(sc_self,
> > + "required module %s already loaded\n",
> > + m->mod_name);
> > +
> > + return 1;
> > + }
> > +
> > md->refcount++;
> > LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
> > return 1;
> >
>
From: Marc Balmer <marc@msys.ch>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua module
require
Date: Thu, 11 May 2017 22:16:04 +0200
No problem with the HTML mail. Let's keep in contact to fix the problem.
From: Alexander Mihalicyn <alexander@mihalicyn.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua module require
Date: Thu, 11 May 2017 23:34:55 +0300
Ok. Thank you. ;)
On Thu, May 11, 2017 at 11:20 PM, Marc Balmer <marc@msys.ch> wrote:
> The following reply was made to PR kern/52226; it has been noted by GNATS.
>
> From: Marc Balmer <marc@msys.ch>
> To: gnats-bugs@NetBSD.org
> Cc:
> Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua module
> require
> Date: Thu, 11 May 2017 22:16:04 +0200
>
> No problem with the HTML mail. Let's keep in contact to fix the problem.
>
State-Changed-From-To: open->closed
State-Changed-By: mbalmer@NetBSD.org
State-Changed-When: Sat, 20 May 2017 08:32:21 +0000
State-Changed-Why:
Slightly different fix applied to -current, thanks!
From: "Marc Balmer" <mbalmer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52226 CVS commit: src/sys/modules/lua
Date: Sat, 20 May 2017 08:31:13 +0000
Module Name: src
Committed By: mbalmer
Date: Sat May 20 08:31:13 UTC 2017
Modified Files:
src/sys/modules/lua: lua.c
Log Message:
Only load a module if it is not already loaded in a state (much like userland
Lua handles require).
Fixes PR kern/52226.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/sys/modules/lua/lua.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Marc Balmer <marc@msys.ch>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua
module require
Date: Sat, 20 May 2017 10:34:43 +0200
--7499690C-09E0-4D36-9380-6599D9FE6CD6
Content-Type: multipart/alternative; boundary="591fffa3_41a8a627_280"
--591fffa3_41a8a627_280
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
I just fixed this in NetBSD -current and requested a pullup to the netbsd-7 branch
Am 11. Mai 2017 um 20:20:00, alexander@mihalicyn.com (alexander@mihalicyn.com) schrieb:
>Number: 52226
>Category: kern
>Synopsis: Freeze (infinite loop) in kernel on double lua module require
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu May 11 18:20:00 +0000 2017
>Originator: Alexander Mihalicyn
>Release: 7.1
>Organization:
>Environment:
NetBSD netbsd 7.1 NetBSD 7.1 (GENERIC.201703111743Z) i386
>Description:
Problem with not checking that lua module already required and module loading two times. After that we got a list structure corrupted (one of the node pointing to itself). If we iterate over that list we got infinite loop in kernel...
Take a look on https://github.com/IIJ-NetBSD/netbsd-src/blob/master/sys/modules/lua/lua.c (function lua_require(lua_State *L)).
If we try to double require lua module we got a list with node pointing to itself:
line 524:
LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
Before this line we need to check, that our module not loaded yet.
>How-To-Repeat:
Possible exploitation is very simple:
/root/test.lua:
systm = require 'systm'
execute commands:
luactl create s1
luactl load s1 /root/test.lua
luactl load s1 /root/test.lua
luactl destroy s1
Houston, we have a problem!
Thanks to lneto (lneto@NetBSD.org) for help and support ;)
>Fix:
--- a/sys/modules/lua/lua.c
+++ b/sys/modules/lua/lua.c
@@ -487,8 +487,21 @@ lua_require(lua_State *L)
device_printf(sc_self,
"require module %s\n",
md->mod_name);
+
+ /* add module to loaded list in state */
luaL_requiref(L, md->mod_name, md->open, 0);
+ /* check that module not loaded yet before increasing refcount and adding to state modules list */
+ LIST_FOREACH(m, &s->lua_modules, mod_next)
+ if (m == md) {
+ if (lua_verbose)
+ device_printf(sc_self,
+ "required module %s already loaded\n",
+ m->mod_name);
+
+ return 1;
+ }
+
md->refcount++;
LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
return 1;
--591fffa3_41a8a627_280
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<html><head><style>body=7Bfont-family:Helvetica,Arial;font-size:13px=7D</=
style></head><body style=3D=22word-wrap: break-word; -webkit-nbsp-mode: s=
pace; -webkit-line-break: after-white-space;=22><div id=3D=22bloop=5Fcust=
omfont=22 style=3D=22font-family:Helvetica,Arial;font-size:13px; color: r=
gba(0,0,0,1.0); margin: 0px; line-height: auto;=22>I just fixed this in N=
etBSD -current and requested a pullup to the netbsd-7 branch</div> <br> <=
div class=3D=22bloop=5Fsign=22 id=3D=22bloop=5Fsign=5F1495269233064286976=
=22><div style=3D=22font-family: Helvetica; font-size: 12px; orphans: 2; =
widows: 2;=22><br></div></div><div><p class=3D=22airmail=5Fon=22>Am 11. M=
ai 2017 um 20:20:00, alexander=40mihalicyn.com (<a href=3D=22mailto:alexa=
nder=40mihalicyn.com=22>alexander=40mihalicyn.com</a>) schrieb:</p> <bloc=
kquote type=3D=22cite=22 class=3D=22clean=5Fbq=22><span><div><div></div><=
div>>Number: 52226
<br>>Category: kern
<br>>Synopsis: =46reeze (infinite loop) in kernel on double lua =
module require
<br>>Confidential: no
<br>>Severity: serious
<br>>Priority: medium
<br>>Responsible: kern-bug-people
<br>>State: open
<br>>Class: sw-bug
<br>>Submitter-Id: net
<br>>Arrival-Date: Thu May 11 18:20:00 +0000 2017
<br>>Originator: Alexander Mihalicyn
<br>>Release: 7.1
<br>>Organization:
<br>>Environment:
<br>NetBSD netbsd 7.1 NetBSD 7.1 (GENERIC.201703111743Z) i386
<br>>Description:
<br>Problem with not checking that lua module already required and module=
loading two times. After that we got a list structure corrupted (one of =
the node pointing to itself). If we iterate over that list we got infinit=
e loop in kernel...
<br>
<br>Take a look on https://github.com/IIJ-NetBSD/netbsd-src/blob/master/s=
ys/modules/lua/lua.c (function lua=5Frequire(lua=5FState *L)).
<br>
<br>If we try to double require lua module we got a list with node pointi=
ng to itself:
<br>line 524:
<br>LIST=5FINSERT=5FHEAD(&s->lua=5Fmodules, md, mod=5Fnext);
<br>
<br>Before this line we need to check, that our module not loaded yet.
<br>>How-To-Repeat:
<br>Possible exploitation is very simple:
<br>/root/test.lua:
<br>systm =3D require 'systm'
<br>
<br>execute commands:
<br>luactl create s1
<br>luactl load s1 /root/test.lua
<br>luactl load s1 /root/test.lua
<br>luactl destroy s1
<br>
<br>Houston, we have a problem=21
<br>
<br>Thanks to lneto (lneto=40NetBSD.org) for help and support ;)
<br>>=46ix:
<br>--- a/sys/modules/lua/lua.c
<br>+++ b/sys/modules/lua/lua.c
<br>=40=40 -487,8 +487,21 =40=40 lua=5Frequire(lua=5FState *L)
<br> device=5Fprintf(sc=5Fself,
<br> =22require module %s=5Cn=22,
<br> md->mod=5Fname);
<br>+
<br>+ /* add module to loaded list in state */
<br> luaL=5Frequiref(L, md->mod=5Fname, md->open, 0);
<br> =20
<br>+ /* check that module not loaded yet before increasing refcount a=
nd adding to state modules list */
<br>+ LIST=5F=46OREACH(m, &s->lua=5Fmodules, mod=5Fnext)
<br>+ if (m =3D=3D md) =7B
<br>+ if (lua=5Fverbose)
<br>+ device=5Fprintf(sc=5Fself,
<br>+ =22required module %s already loaded=5Cn=22,
<br>+ m->mod=5Fname);
<br>+
<br>+ return 1;
<br>+ =7D
<br>+
<br> md->refcount++;
<br> LIST=5FINSERT=5FHEAD(&s->lua=5Fmodules, md, mod=5Fnext);
<br>return 1;
<br>
<br></div></div></span></blockquote></div></body></html>
--591fffa3_41a8a627_280--
--7499690C-09E0-4D36-9380-6599D9FE6CD6
Content-Type: application/pkcs7-signature; name="smime.p7s";
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAA
oIIFazCCBWcwggNPoAMCAQICAxEOKjANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQK
EwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNV
BAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1
cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNTA4MjMxNTE2MTVaFw0xNzA4MjIxNTE2MTVa
MDMxFDASBgNVBAMTC01hcmMgQmFsbWVyMRswGQYJKoZIhvcNAQkBFgxtYXJjQG1z
eXMuY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcymJ45jjvYu9E
KjfxTT94QvtKiEes0CSUlISEGiJdbtpgW12xRBJvbYKenAuopwR7AxRGNaFTagsS
WBXQLKWHUJI69lTekG7G71xoPuutYYf0oYZHHQgRch8wzmcYhbS/1deWOHWNaYzi
mnqRAuSeEQvvlYeesRRXzOYSKjYWwuMWb8/Vd8uj2uNbF0AU5JOEfRMz0dcruA0z
rbshj/h+QA7LfHXXruFOMVFw8+tQLSZdD3vSpViSjqAzcfASCiO74N1CbVkdR9Ae
D8BlPm1iwHM2x1G0mK7vu8g1Ff7B5u+ttZ3ZUZcu3i0Kr81jxHr1oIoxskuG7Kce
uM7bJcYLAgMBAAGjggE8MIIBODAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJ
FkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVy
IHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0l
BDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMD
BglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8v
b2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwuY2Fj
ZXJ0Lm9yZy9yZXZva2UuY3JsMBcGA1UdEQQQMA6BDG1hcmNAbXN5cy5jaDANBgkq
hkiG9w0BAQ0FAAOCAgEASRdEJKAL7vzYfpyNVAovKTeo2Rb+uPmAJ/6bo2nz5rC5
waNmzPIrySOntXEaJv79KBpuzctcZAf41pJf4osobN+YCL3bKQWWkMI8HGxGuhF/
C4w/c02XVXpohqCGC9f9KV/2rGS7Up46QJAXNjcfqLafQoF/x5QEhZxRoa2CCon2
P40jwUtYW16zDMdd48mnN7I3okrdBffN4KL4MIkSBrkAIo4byCMSiyLh7SdfOMZC
QNv/MPCaz2Fq5XHDCI2a/SOYA8icsjFo5gsulAURsJ9hWntDsIKB88Hm+aTyIlmL
BED4ThTZmNOpfyYEYnuy/GwTHB3RxVzta/WNdJpslICb6n2kAf0LXJKS7ACHyNqc
nrHUsEki18Tp4BgBB1S8XcaAfxdttZZGfoEsr5OvyxwX+9uSg29fxjTBp4Ck3fCS
vcHPHYRTNbuyn16qIR1soQmJkMD1X8p0eFDNtDs+7U9776yLcZmqyRsEJP4jmcqU
+nZ8L/1ZUr6oRHwwfYiqHFKudCH1YGe1ZrjytUaDDQooJkxgAlO3HoVwO9Zo56nV
sXnkoIvhjXnXwLXmR2M3C3r0Vlg6fqTj0Isi67e0rG7HvoVXnmitUWW5YJpkrBcW
wOyUrDucqtDb+huW/RbGwp3v3Lr9GHEwCRAYnWczzgZaRSEPwlV/s3HpXlEOxPQx
ggJLMIICRwIBATCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRw
Oi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRo
b3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwIDEQ4qMAkG
BSsOAwIaBQCggaAwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAjBgkqhkiG9w0B
CQQxFgQUICcHZamH1ZWKqAdv6EULaVEJ9EwwXwYJKoZIhvcNAQkPMVIwUDALBglg
hkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAGYc
/OSN6RGte39okVTIuZojPotDTqqdVYCul0QXLFTtpOGgg5XQxuc8uZr3WXmlwggQ
b6Yi7nLfjeSV87CJDslTP8v41G3dL5Lx8HDS7EKYVdbTPsQ8XuT0GQuvzijti3gS
QWDDoCbKKX51q6lqlZvFHp1N0oWl1ylnbrnByBTc5E4L0XaK+6G8OpQP36BvqUXa
tXxzjek318gErLjA1IaAyQSlqYsgkXjAgzMsgv1/JlBJds1kqBGSRcSvkhd4SXBS
4L6c7KPhJ/o6H75PbosgEtg7bzD0fvhdP2VzojopmDYLQKNXhbLLKaCTTdrOJQlF
uua5ENyx14quSBIx5BEAAAAAAAA=
--7499690C-09E0-4D36-9380-6599D9FE6CD6--
From: Alexander Mihalicyn <alexander@mihalicyn.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: PR/52226 CVS commit: src/sys/modules/lua
Date: Sat, 20 May 2017 17:27:00 +0300
Hello, Dear Marc Balmer,
I checked out variant of fix from CVS. Sorry, but it is fully correct?
I would like to point that it's very important that in our original
fix checking of module already loaded in state was between
luaL_requiref call and md->refcount++. But in our last fix (from CVS)
we have that check before luaL_requiref. It seems that this may cause
a problem:
consider the following example:
----
luactl create s1
luactl load s1 /root/test.lua
luactl load s1 /root/test.lua
luactl destroy s1
test.lua:
systm = require 'systm'
systm.print("hello, kernel world!\n")
----
We got a problem because module in second call of luactl load won't
loaded into lua context. And we got messages:
hello, kernel world!
...and after that error, that print is undefined (or something similar ;)).
Thank you in advance.
Regards, Alex.
On Sat, May 20, 2017 at 11:35 AM, Marc Balmer <mbalmer@netbsd.org> wrote:
> The following reply was made to PR kern/52226; it has been noted by GNATS.
>
> From: "Marc Balmer" <mbalmer@netbsd.org>
> To: gnats-bugs@gnats.NetBSD.org
> Cc:
> Subject: PR/52226 CVS commit: src/sys/modules/lua
> Date: Sat, 20 May 2017 08:31:13 +0000
>
> Module Name: src
> Committed By: mbalmer
> Date: Sat May 20 08:31:13 UTC 2017
>
> Modified Files:
> src/sys/modules/lua: lua.c
>
> Log Message:
> Only load a module if it is not already loaded in a state (much like userland
> Lua handles require).
> Fixes PR kern/52226.
>
>
> To generate a diff of this commit:
> cvs rdiff -u -r1.21 -r1.22 src/sys/modules/lua/lua.c
>
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
>
From: Marc Balmer <mhbalmer@gmail.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: PR/52226 CVS commit: src/sys/modules/lua
Date: Sun, 21 May 2017 02:29:34 -0700
--f403043618b07feb4905500564ce
Content-Type: text/plain; charset="UTF-8"
That has been fixed in a subsequent commit. luaL_requiref is called in all
cases. Please update you source tree again and it will work.
Am 21. Mai 2017 um 10:58:11, Alexander Mihalicyn (alexander@mihalicyn.com)
schrieb:
The following reply was made to PR kern/52226; it has been noted by GNATS.
From: Alexander Mihalicyn <alexander@mihalicyn.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: PR/52226 CVS commit: src/sys/modules/lua
Date: Sat, 20 May 2017 17:27:00 +0300
Hello, Dear Marc Balmer,
I checked out variant of fix from CVS. Sorry, but it is fully correct?
I would like to point that it's very important that in our original
fix checking of module already loaded in state was between
luaL_requiref call and md->refcount++. But in our last fix (from CVS)
we have that check before luaL_requiref. It seems that this may cause
a problem:
consider the following example:
----
luactl create s1
luactl load s1 /root/test.lua
luactl load s1 /root/test.lua
luactl destroy s1
test.lua:
systm = require 'systm'
systm.print("hello, kernel world!\n")
----
We got a problem because module in second call of luactl load won't
loaded into lua context. And we got messages:
hello, kernel world!
...and after that error, that print is undefined (or something similar ;)).
Thank you in advance.
Regards, Alex.
On Sat, May 20, 2017 at 11:35 AM, Marc Balmer <mbalmer@netbsd.org> wrote:
> The following reply was made to PR kern/52226; it has been noted by
GNATS.
>
> From: "Marc Balmer" <mbalmer@netbsd.org>
> To: gnats-bugs@gnats.NetBSD.org
> Cc:
> Subject: PR/52226 CVS commit: src/sys/modules/lua
> Date: Sat, 20 May 2017 08:31:13 +0000
>
> Module Name: src
> Committed By: mbalmer
> Date: Sat May 20 08:31:13 UTC 2017
>
> Modified Files:
> src/sys/modules/lua: lua.c
>
> Log Message:
> Only load a module if it is not already loaded in a state (much like
userland
> Lua handles require).
> Fixes PR kern/52226.
>
>
> To generate a diff of this commit:
> cvs rdiff -u -r1.21 -r1.22 src/sys/modules/lua/lua.c
>
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
>
--f403043618b07feb4905500564ce
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style>=
</head><body style=3D"word-wrap:break-word"><div id=3D"bloop_customfont" st=
yle=3D"font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);mar=
gin:0px;line-height:auto">That has been fixed in a subsequent commit. =C2=
=A0luaL_requiref is called in all cases.=C2=A0 Please update you source tre=
e again and it will work.</div> <br> <div id=3D"bloop_sign_1495358917791358=
976" class=3D"bloop_sign"></div> <br><p class=3D"airmail_on">Am 21. Mai 201=
7 um 10:58:11, Alexander Mihalicyn (<a href=3D"mailto:alexander@mihalicyn.c=
om">alexander@mihalicyn.com</a>) schrieb:</p> <blockquote type=3D"cite" cla=
ss=3D"clean_bq"><span><div><div></div><div>The following reply was made to =
PR kern/52226; it has been noted by GNATS.
<br>
<br>From: Alexander Mihalicyn <<a href=3D"mailto:alexander@mihalicyn.com=
">alexander@mihalicyn.com</a>>
<br>To: <a href=3D"mailto:gnats-bugs@netbsd.org">gnats-bugs@netbsd.org</a>
<br>Cc: =20
<br>Subject: Re: PR/52226 CVS commit: src/sys/modules/lua
<br>Date: Sat, 20 May 2017 17:27:00 +0300
<br>
<br> Hello, Dear Marc Balmer,
<br> =20
<br> I checked out variant of fix from CVS. Sorry, but it is fully correct?
<br> I would like to point that it's very important that in our origina=
l
<br> fix checking of module already loaded in state was between
<br> luaL_requiref call and md->refcount++. But in our last fix (from CV=
S)
<br> we have that check before luaL_requiref. It seems that this may cause
<br> a problem:
<br> consider the following example:
<br> =20
<br> ----
<br> luactl create s1
<br> luactl load s1 /root/test.lua
<br> luactl load s1 /root/test.lua
<br> luactl destroy s1
<br> =20
<br> test.lua:
<br> systm =3D require 'systm'
<br> =20
<br> systm.print("hello, kernel world!\n")
<br> ----
<br> =20
<br> We got a problem because module in second call of luactl load won'=
t
<br> loaded into lua context. And we got messages:
<br> hello, kernel world!
<br> ...and after that error, that print is undefined (or something similar=
;)).
<br> =20
<br> Thank you in advance.
<br> =20
<br> Regards, Alex.
<br> =20
<br> On Sat, May 20, 2017 at 11:35 AM, Marc Balmer <<a href=3D"mailto:mb=
almer@netbsd.org">mbalmer@netbsd.org</a>> wrote:
<br> > The following reply was made to PR kern/52226; it has been noted =
by GNATS.
<br> >
<br> > From: "Marc Balmer" <<a href=3D"mailto:mbalmer@netbs=
d.org">mbalmer@netbsd.org</a>>
<br> > To: <a href=3D"mailto:gnats-bugs@gnats.NetBSD.org">gnats-bugs@gna=
ts.NetBSD.org</a>
<br> > Cc:
<br> > Subject: PR/52226 CVS commit: src/sys/modules/lua
<br> > Date: Sat, 20 May 2017 08:31:13 +0000
<br> >
<br> > Module Name: src
<br> > Committed By: mbalmer
<br> > Date: Sat May 20 08:31:13 UTC 2017
<br> >
<br> > Modified Files:
<br> > src/sys/modules/lua: lua.c
<br> >
<br> > Log Message:
<br> > Only load a module if it is not already loaded in a state (much =
like userland
<br> > Lua handles require).
<br> > Fixes PR kern/52226.
<br> >
<br> >
<br> > To generate a diff of this commit:
<br> > cvs rdiff -u -r1.21 -r1.22 src/sys/modules/lua/lua.c
<br> >
<br> > Please note that diffs are not public domain; they are subject t=
o the
<br> > copyright notices on the relevant files.
<br> >
<br> =20
<br>
<br></div></div></span></blockquote></body></html>
--f403043618b07feb4905500564ce--
From: Alexander Mihalicyn <alexander@mihalicyn.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: PR/52226 CVS commit: src/sys/modules/lua
Date: Sun, 21 May 2017 19:24:06 +0300
--001a114170ac3021ec05500b307a
Content-Type: text/plain; charset="UTF-8"
Thank you very much. ;)
On Sun, May 21, 2017 at 12:30 PM, Marc Balmer <mhbalmer@gmail.com> wrote:
> The following reply was made to PR kern/52226; it has been noted by GNATS.
>
> From: Marc Balmer <mhbalmer@gmail.com>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: PR/52226 CVS commit: src/sys/modules/lua
> Date: Sun, 21 May 2017 02:29:34 -0700
>
> --f403043618b07feb4905500564ce
> Content-Type: text/plain; charset="UTF-8"
>
> That has been fixed in a subsequent commit. luaL_requiref is called in
> all
> cases. Please update you source tree again and it will work.
>
>
> Am 21. Mai 2017 um 10:58:11, Alexander Mihalicyn (alexander@mihalicyn.com
> )
> schrieb:
>
> The following reply was made to PR kern/52226; it has been noted by GNATS.
>
> From: Alexander Mihalicyn <alexander@mihalicyn.com>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: PR/52226 CVS commit: src/sys/modules/lua
> Date: Sat, 20 May 2017 17:27:00 +0300
>
> Hello, Dear Marc Balmer,
>
> I checked out variant of fix from CVS. Sorry, but it is fully correct?
> I would like to point that it's very important that in our original
> fix checking of module already loaded in state was between
> luaL_requiref call and md->refcount++. But in our last fix (from CVS)
> we have that check before luaL_requiref. It seems that this may cause
> a problem:
> consider the following example:
>
> ----
> luactl create s1
> luactl load s1 /root/test.lua
> luactl load s1 /root/test.lua
> luactl destroy s1
>
> test.lua:
> systm = require 'systm'
>
> systm.print("hello, kernel world!\n")
> ----
>
> We got a problem because module in second call of luactl load won't
> loaded into lua context. And we got messages:
> hello, kernel world!
> ...and after that error, that print is undefined (or something similar
> ;)).
>
> Thank you in advance.
>
> Regards, Alex.
>
> On Sat, May 20, 2017 at 11:35 AM, Marc Balmer <mbalmer@netbsd.org> wrote:
> > The following reply was made to PR kern/52226; it has been noted by
> GNATS.
> >
> > From: "Marc Balmer" <mbalmer@netbsd.org>
> > To: gnats-bugs@gnats.NetBSD.org
> > Cc:
> > Subject: PR/52226 CVS commit: src/sys/modules/lua
> > Date: Sat, 20 May 2017 08:31:13 +0000
> >
> > Module Name: src
> > Committed By: mbalmer
> > Date: Sat May 20 08:31:13 UTC 2017
> >
> > Modified Files:
> > src/sys/modules/lua: lua.c
> >
> > Log Message:
> > Only load a module if it is not already loaded in a state (much like
> userland
> > Lua handles require).
> > Fixes PR kern/52226.
> >
> >
> > To generate a diff of this commit:
> > cvs rdiff -u -r1.21 -r1.22 src/sys/modules/lua/lua.c
> >
> > Please note that diffs are not public domain; they are subject to the
> > copyright notices on the relevant files.
> >
>
> --f403043618b07feb4905500564ce
> Content-Type: text/html; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
>
> <html><head><style>body{font-family:Helvetica,Arial;font-
> size:13px}</style>=
> </head><body style=3D"word-wrap:break-word"><div id=3D"bloop_customfont"
> st=
> yle=3D"font-family:Helvetica,Arial;font-size:13px;color:
> rgba(0,0,0,1.0);mar=
> gin:0px;line-height:auto">That has been fixed in a subsequent commit. =C2=
> =A0luaL_requiref is called in all cases.=C2=A0 Please update you source
> tre=
> e again and it will work.</div> <br> <div id=3D"bloop_sign_
> 1495358917791358=
> 976" class=3D"bloop_sign"></div> <br><p class=3D"airmail_on">Am 21. Mai
> 201=
> 7 um 10:58:11, Alexander Mihalicyn (<a href=3D"mailto:alexander@
> mihalicyn.c=
> om">alexander@mihalicyn.com</a>) schrieb:</p> <blockquote type=3D"cite"
> cla=
> ss=3D"clean_bq"><span><div><div></div><div>The following reply was made
> to =
> PR kern/52226; it has been noted by GNATS.
> <br>
> <br>From: Alexander Mihalicyn <<a href=3D"mailto:alexander@
> mihalicyn.com=
> ">alexander@mihalicyn.com</a>>
> <br>To: <a href=3D"mailto:gnats-bugs@netbsd.org">gnats-bugs@netbsd.org
> </a>
> <br>Cc: =20
> <br>Subject: Re: PR/52226 CVS commit: src/sys/modules/lua
> <br>Date: Sat, 20 May 2017 17:27:00 +0300
> <br>
> <br> Hello, Dear Marc Balmer,
> <br> =20
> <br> I checked out variant of fix from CVS. Sorry, but it is fully
> correct?
> <br> I would like to point that it's very important that in our
> origina=
> l
> <br> fix checking of module already loaded in state was between
> <br> luaL_requiref call and md->refcount++. But in our last fix (from
> CV=
> S)
> <br> we have that check before luaL_requiref. It seems that this may cause
> <br> a problem:
> <br> consider the following example:
> <br> =20
> <br> ----
> <br> luactl create s1
> <br> luactl load s1 /root/test.lua
> <br> luactl load s1 /root/test.lua
> <br> luactl destroy s1
> <br> =20
> <br> test.lua:
> <br> systm =3D require 'systm'
> <br> =20
> <br> systm.print("hello, kernel world!\n")
> <br> ----
> <br> =20
> <br> We got a problem because module in second call of luactl load
> won'=
> t
> <br> loaded into lua context. And we got messages:
> <br> hello, kernel world!
> <br> ...and after that error, that print is undefined (or something
> similar=
> ;)).
> <br> =20
> <br> Thank you in advance.
> <br> =20
> <br> Regards, Alex.
> <br> =20
> <br> On Sat, May 20, 2017 at 11:35 AM, Marc Balmer <<a href=3D"mailto:
> mb=
> almer@netbsd.org">mbalmer@netbsd.org</a>> wrote:
> <br> > The following reply was made to PR kern/52226; it has been
> noted =
> by GNATS.
> <br> >
> <br> > From: "Marc Balmer" <<a href=3D"mailto:
> mbalmer@netbs=
> d.org">mbalmer@netbsd.org</a>>
> <br> > To: <a href=3D"mailto:gnats-bugs@gnats.NetBSD.org">gnats-bugs@
> gna=
> ts.NetBSD.org</a>
> <br> > Cc:
> <br> > Subject: PR/52226 CVS commit: src/sys/modules/lua
> <br> > Date: Sat, 20 May 2017 08:31:13 +0000
> <br> >
> <br> > Module Name: src
> <br> > Committed By: mbalmer
> <br> > Date: Sat May 20 08:31:13 UTC 2017
> <br> >
> <br> > Modified Files:
> <br> > src/sys/modules/lua: lua.c
> <br> >
> <br> > Log Message:
> <br> > Only load a module if it is not already loaded in a state
> (much =
> like userland
> <br> > Lua handles require).
> <br> > Fixes PR kern/52226.
> <br> >
> <br> >
> <br> > To generate a diff of this commit:
> <br> > cvs rdiff -u -r1.21 -r1.22 src/sys/modules/lua/lua.c
> <br> >
> <br> > Please note that diffs are not public domain; they are subject
> t=
> o the
> <br> > copyright notices on the relevant files.
> <br> >
> <br> =20
> <br>
> <br></div></div></span></blockquote></body></html>
>
> --f403043618b07feb4905500564ce--
>
>
--001a114170ac3021ec05500b307a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Thank you very much. ;)<br></div><div class=3D"gmail_extra=
"><br><div class=3D"gmail_quote">On Sun, May 21, 2017 at 12:30 PM, Marc Bal=
mer <span dir=3D"ltr"><<a href=3D"mailto:mhbalmer@gmail.com" target=3D"_=
blank">mhbalmer@gmail.com</a>></span> wrote:<br><blockquote class=3D"gma=
il_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-lef=
t:1ex"><span class=3D"">The following reply was made to PR kern/52226; it h=
as been noted by GNATS.<br>
<br>
</span>From: Marc Balmer <<a href=3D"mailto:mhbalmer@gmail.com">mhbalmer=
@gmail.com</a>><br>
<span class=3D"">To: <a href=3D"mailto:gnats-bugs@netbsd.org">gnats-bugs@ne=
tbsd.org</a><br>
Cc:<br>
Subject: Re: PR/52226 CVS commit: src/sys/modules/lua<br>
</span>Date: Sun, 21 May 2017 02:29:34 -0700<br>
<br>
=C2=A0--f403043618b07feb4905500564ce<br>
=C2=A0Content-Type: text/plain; charset=3D"UTF-8"<br>
<br>
=C2=A0That has been fixed in a subsequent commit.=C2=A0 luaL_requiref is ca=
lled in all<br>
=C2=A0cases.=C2=A0 Please update you source tree again and it will work.<br=
>
<br>
<br>
=C2=A0Am 21. Mai 2017 um 10:58:11, Alexander Mihalicyn (<a href=3D"mailto:a=
lexander@mihalicyn.com">alexander@mihalicyn.com</a>)<br>
=C2=A0schrieb:<br>
<div><div class=3D"h5"><br>
=C2=A0The following reply was made to PR kern/52226; it has been noted by G=
NATS.<br>
<br>
=C2=A0From: Alexander Mihalicyn <<a href=3D"mailto:alexander@mihalicyn.c=
om">alexander@mihalicyn.com</a>><br>
=C2=A0To: <a href=3D"mailto:gnats-bugs@netbsd.org">gnats-bugs@netbsd.org</a=
><br>
=C2=A0Cc:<br>
=C2=A0Subject: Re: PR/52226 CVS commit: src/sys/modules/lua<br>
=C2=A0Date: Sat, 20 May 2017 17:27:00 +0300<br>
<br>
=C2=A0Hello, Dear Marc Balmer,<br>
<br>
=C2=A0I checked out variant of fix from CVS. Sorry, but it is fully correct=
?<br>
=C2=A0I would like to point that it's very important that in our origin=
al<br>
=C2=A0fix checking of module already loaded in state was between<br>
=C2=A0luaL_requiref call and md->refcount++. But in our last fix (from C=
VS)<br>
=C2=A0we have that check before luaL_requiref. It seems that this may cause=
<br>
=C2=A0a problem:<br>
=C2=A0consider the following example:<br>
<br>
=C2=A0----<br>
=C2=A0luactl create s1<br>
=C2=A0luactl load s1 /root/test.lua<br>
=C2=A0luactl load s1 /root/test.lua<br>
=C2=A0luactl destroy s1<br>
<br>
=C2=A0test.lua:<br>
=C2=A0systm =3D require 'systm'<br>
<br>
=C2=A0systm.print("hello, kernel world!\n")<br>
=C2=A0----<br>
<br>
=C2=A0We got a problem because module in second call of luactl load won'=
;t<br>
=C2=A0loaded into lua context. And we got messages:<br>
=C2=A0hello, kernel world!<br>
=C2=A0...and after that error, that print is undefined (or something simila=
r ;)).<br>
<br>
=C2=A0Thank you in advance.<br>
<br>
=C2=A0Regards, Alex.<br>
<br>
=C2=A0On Sat, May 20, 2017 at 11:35 AM, Marc Balmer <<a href=3D"mailto:m=
balmer@netbsd.org">mbalmer@netbsd.org</a>> wrote:<br>
=C2=A0> The following reply was made to PR kern/52226; it has been noted=
by<br>
=C2=A0GNATS.<br>
=C2=A0><br>
=C2=A0> From: "Marc Balmer" <<a href=3D"mailto:mbalmer@netb=
sd.org">mbalmer@netbsd.org</a>><br>
=C2=A0> To: <a href=3D"mailto:gnats-bugs@gnats.NetBSD.org">gnats-bugs@gn=
ats.NetBSD.org</a><br>
=C2=A0> Cc:<br>
=C2=A0> Subject: PR/52226 CVS commit: src/sys/modules/lua<br>
=C2=A0> Date: Sat, 20 May 2017 08:31:13 +0000<br>
=C2=A0><br>
=C2=A0> Module Name: src<br>
=C2=A0> Committed By: mbalmer<br>
=C2=A0> Date: Sat May 20 08:31:13 UTC 2017<br>
=C2=A0><br>
=C2=A0> Modified Files:<br>
=C2=A0> src/sys/modules/lua: lua.c<br>
=C2=A0><br>
=C2=A0> Log Message:<br>
=C2=A0> Only load a module if it is not already loaded in a state (much =
like<br>
=C2=A0userland<br>
=C2=A0> Lua handles require).<br>
=C2=A0> Fixes PR kern/52226.<br>
=C2=A0><br>
=C2=A0><br>
=C2=A0> To generate a diff of this commit:<br>
=C2=A0> cvs rdiff -u -r1.21 -r1.22 src/sys/modules/lua/lua.c<br>
=C2=A0><br>
=C2=A0> Please note that diffs are not public domain; they are subject t=
o the<br>
=C2=A0> copyright notices on the relevant files.<br>
=C2=A0><br>
<br>
</div></div>=C2=A0--f403043618b07feb4905500564ce<br>
=C2=A0Content-Type: text/html; charset=3D"UTF-8"<br>
=C2=A0Content-Transfer-Encoding: quoted-printable<br>
<br>
=C2=A0<html><head><style>body{font-<wbr>family:Helvetica,=
Arial;font-<wbr>size:13px}</style>=3D<br>
=C2=A0</head><body style=3D3D"word-wrap:break-word"<wbr>=
><div id=3D3D"bloop_customfont" st=3D<br>
=C2=A0yle=3D3D"font-family:Helvetica,<wbr>Arial;font-size:13px;color:<=
wbr>rgba(0,0,0,1.0);mar=3D<br>
=C2=A0gin:0px;line-height:auto">That has been fixed in a subsequent=
commit. =3DC2=3D<br>
=C2=A0=3DA0luaL_requiref is called in all cases.=3DC2=3DA0 Please update yo=
u source tre=3D<br>
=C2=A0e again and it will work.</div> <br> <div id=3D3D"=
;bloop_sign_<wbr>1495358917791358=3D<br>
=C2=A0976" class=3D3D"bloop_sign"></div> <br>=
<p class=3D3D"airmail_on">Am 21. Mai 201=3D<br>
=C2=A07 um 10:58:11, Alexander Mihalicyn (<a href=3D3D"mailto:<a hr=
ef=3D"mailto:alexander@mihalicyn.c">alexander@<wbr>mihalicyn.c</a>=3D<br>
=C2=A0om"><a href=3D"mailto:alexander@mihalicyn.com">alexander@miha=
licyn.com</a></<wbr>a>) schrieb:</p> <blockquote type=3D3D&q=
uot;cite" cla=3D<br>
=C2=A0ss=3D3D"clean_bq"><span><div><<wbr>div>=
;</div><div>The following reply was made to =3D<br>
<span class=3D"">=C2=A0PR kern/52226; it has been noted by GNATS.<br>
</span>=C2=A0<br><br>
=C2=A0<br>From: Alexander Mihalicyn &lt;<a href=3D3D"mail=
to:<a href=3D"mailto:alexander@mihalicyn.com">alexander@<wbr>mihalicyn.com<=
/a>=3D<br>
=C2=A0"><a href=3D"mailto:alexander@mihalicyn.com">alexander@mihali=
cyn.com</a></a>&<wbr>gt;<br>
=C2=A0<br>To: <a href=3D3D"mailto:<a href=3D"mailto:gnats-bug=
s@netbsd.org">gnats-bugs@<wbr>netbsd.org</a>"><a href=3D"mailto:gna=
ts-bugs@netbsd.org">gnats-bugs@netbsd.<wbr>org</a></a><br>
=C2=A0<br>Cc: =3D20<br>
=C2=A0<br>Subject: Re: PR/52226 CVS commit: src/sys/modules/lua<br>
=C2=A0<br>Date: Sat, 20 May 2017 17:27:00 +0300<br>
=C2=A0<br><br>
=C2=A0<br> Hello, Dear Marc Balmer,<br>
=C2=A0<br> =3D20<br>
=C2=A0<br> I checked out variant of fix from CVS. Sorry, but it is fu=
lly correct?<br>
=C2=A0<br> I would like to point that it&#39;s very important tha=
t in our origina=3D<br>
=C2=A0l<br>
=C2=A0<br> fix checking of module already loaded in state was between=
<br>
=C2=A0<br> luaL_requiref call and md-&gt;refcount++. But in our l=
ast fix (from CV=3D<br>
=C2=A0S)<br>
=C2=A0<br> we have that check before luaL_requiref. It seems that thi=
s may cause<br>
=C2=A0<br> a problem:<br>
=C2=A0<br> consider the following example:<br>
=C2=A0<br> =3D20<br>
=C2=A0<br> ----<br>
=C2=A0<br> luactl create s1<br>
=C2=A0<br> luactl load s1 /root/test.lua<br>
=C2=A0<br> luactl load s1 /root/test.lua<br>
=C2=A0<br> luactl destroy s1<br>
=C2=A0<br> =3D20<br>
=C2=A0<br> test.lua:<br>
=C2=A0<br> systm =3D3D require &#39;systm&#39;<br>
=C2=A0<br> =3D20<br>
=C2=A0<br> systm.print(&quot;hello, kernel world!\n&quot;)<br=
>
=C2=A0<br> ----<br>
=C2=A0<br> =3D20<br>
=C2=A0<br> We got a problem because module in second call of luactl l=
oad won&#39;=3D<br>
=C2=A0t<br>
=C2=A0<br> loaded into lua context. And we got messages:<br>
=C2=A0<br> hello, kernel world!<br>
=C2=A0<br> ...and after that error, that print is undefined (or somet=
hing similar=3D<br>
=C2=A0 ;)).<br>
=C2=A0<br> =3D20<br>
=C2=A0<br> Thank you in advance.<br>
=C2=A0<br> =3D20<br>
=C2=A0<br> Regards, Alex.<br>
=C2=A0<br> =3D20<br>
=C2=A0<br> On Sat, May 20, 2017 at 11:35 AM, Marc Balmer &lt;<=
a href=3D3D"mailto:<a href=3D"mailto:mb">mb</a>=3D<br>
=C2=A0<a href=3D"mailto:almer@netbsd.org">almer@netbsd.org</a>"><a =
href=3D"mailto:mbalmer@netbsd.org">mbalmer@<wbr>netbsd.org</a></a>&am=
p;gt; wrote:<br>
=C2=A0<br> &gt; The following reply was made to PR kern/52226; it=
has been noted =3D<br>
=C2=A0by GNATS.<br>
=C2=A0<br> &gt;<br>
=C2=A0<br> &gt; From: &quot;Marc Balmer&quot; &lt;<=
;a href=3D3D"mailto:<a href=3D"mailto:mbalmer@netbs">mbalmer@netbs</a>=
=3D<br>
=C2=A0<a href=3D"http://d.org" rel=3D"noreferrer" target=3D"_blank">d.org</=
a>"><a href=3D"mailto:mbalmer@netbsd.org">mbalmer@netbsd.org</a><=
;/a>&<wbr>gt;<br>
=C2=A0<br> &gt; To: <a href=3D3D"mailto:<a href=3D"mailto=
:gnats-bugs@gnats.NetBSD.org">gnats-bugs@<wbr>gnats.NetBSD.org</a>">=
;gnats-bugs@<wbr>gna=3D<br>
=C2=A0<a href=3D"http://ts.NetBSD.org" rel=3D"noreferrer" target=3D"_blank"=
>ts.NetBSD.org</a></a><br>
=C2=A0<br> &gt; Cc:<br>
=C2=A0<br> &gt; Subject: PR/52226 CVS commit: src/sys/modules/lua=
<br>
=C2=A0<br> &gt; Date: Sat, 20 May 2017 08:31:13 +0000<br>
=C2=A0<br> &gt;<br>
=C2=A0<br> &gt;=C2=A0 Module Name:=C2=A0 =C2=A0src<br>
=C2=A0<br> &gt;=C2=A0 Committed By:=C2=A0 mbalmer<br>
=C2=A0<br> &gt;=C2=A0 Date:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Sat=
May 20 08:31:13 UTC 2017<br>
=C2=A0<br> &gt;<br>
=C2=A0<br> &gt;=C2=A0 Modified Files:<br>
=C2=A0<br> &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0src/sys/modules/=
lua: lua.c<br>
=C2=A0<br> &gt;<br>
=C2=A0<br> &gt;=C2=A0 Log Message:<br>
=C2=A0<br> &gt;=C2=A0 Only load a module if it is not already loa=
ded in a state (much =3D<br>
=C2=A0like userland<br>
=C2=A0<br> &gt;=C2=A0 Lua handles require).<br>
=C2=A0<br> &gt;=C2=A0 Fixes PR kern/52226.<br>
=C2=A0<br> &gt;<br>
=C2=A0<br> &gt;<br>
=C2=A0<br> &gt;=C2=A0 To generate a diff of this commit:<br>
=C2=A0<br> &gt;=C2=A0 cvs rdiff -u -r1.21 -r1.22 src/sys/modules/=
lua/lua.c<br>
=C2=A0<br> &gt;<br>
=C2=A0<br> &gt;=C2=A0 Please note that diffs are not public domai=
n; they are subject t=3D<br>
=C2=A0o the<br>
=C2=A0<br> &gt;=C2=A0 copyright notices on the relevant files.<br=
>
=C2=A0<br> &gt;<br>
=C2=A0<br> =3D20<br>
=C2=A0<br><br>
=C2=A0<br></div></div></span></<wbr>blockquote&g=
t;</body></html><br>
<br>
=C2=A0--<wbr>f403043618b07feb4905500564ce--<br>
<br>
</blockquote></div><br></div>
--001a114170ac3021ec05500b307a--
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52226 CVS commit: [netbsd-7] src/sys/modules/lua
Date: Sun, 23 Jul 2017 06:00:40 +0000
Module Name: src
Committed By: snj
Date: Sun Jul 23 06:00:39 UTC 2017
Modified Files:
src/sys/modules/lua [netbsd-7]: lua.c
Log Message:
Pull up following revision(s) (requested by mbalmer in ticket #1422):
sys/modules/lua/lua.c: revision 1.22 via patch
Only load a module if it is not already loaded in a state (much like
userland Lua handles require).
Fixes PR kern/52226.
To generate a diff of this commit:
cvs rdiff -u -r1.13.2.4 -r1.13.2.5 src/sys/modules/lua/lua.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.