[AUTO-CHERRYPICK] Patch luajit for CVE-2024-25177[HIGH] - branch main (#14524)

CBL-Mariner-Bot · kgodara912 · Kshitiz Godara · web-flow · commit 91f05f2cff59 · 2025-08-18T11:54:57.000-07:00
Co-authored-by: kgodara912 &lt;kshigodara@outlook.com&gt;
Co-authored-by: Kshitiz Godara &lt;kgodara@microsoft.com&gt;
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/luajit/CVE-2024-25177.patch b/SPECS/luajit/CVE-2024-25177.patch
@@ -0,0 +1,45 @@
+From 3c4209f69e4f0f3810b9acfde263569ef7c0a197 Mon Sep 17 00:00:00 2001
+From: Mike Pall <mike>
+Date: Tue, 23 Jan 2024 18:58:52 +0100
+Subject: [PATCH] Fix unsinking of IR_FSTORE for NULL metatable.
+
+Reported by pwnhacker0x18. #1147
+
+Upstream reference:
+https://github.com/LuaJIT/LuaJIT/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f
+---
+ src/lj_snap.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lj_snap.c b/src/lj_snap.c
+index 4140fdb..d2c454c 100644
+--- a/src/lj_snap.c
++++ b/src/lj_snap.c
+@@ -453,6 +453,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
+   case IR_KNUM: case IR_KINT64:
+     return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
+   case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir));  /* Continuation. */
++  case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
+   default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
+   }
+ }
+@@ -882,9 +883,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
+ 	if (irk->o == IR_FREF) {
+ 	  lj_assertJ(irk->op2 == IRFL_TAB_META,
+ 		     "sunk store with bad field %d", irk->op2);
+-	  snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
+-	  /* NOBARRIER: The table is new (marked white). */
+-	  setgcref(t->metatable, obj2gco(tabV(&tmp)));
++	  if (T->ir[irs->op2].o == IR_KNULL) {
++	    setgcrefnull(t->metatable);
++	  } else {
++	    snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
++	    /* NOBARRIER: The table is new (marked white). */
++	    setgcref(t->metatable, obj2gco(tabV(&tmp)));
++	  }
+ 	} else {
+ 	  irk = &T->ir[irk->op2];
+ 	  if (irk->o == IR_KSLOT) irk = &T->ir[irk->op1];
+-- 
+2.45.4
+
diff --git a/SPECS/luajit/luajit.signatures.json b/SPECS/luajit/luajit.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "LuaJIT-2.1.0-beta3.tar.gz": "1ad2e34b111c802f9d0cdf019e986909123237a28c746b21295b63c9e785d9c3"
+  "LuaJIT-2.1.0-beta3_v1.tar.gz": "409f7fe570d3c16558e594421c47bdd130238323c9d6fd6c83dedd2aaeb082a8"
  }
-}
+}
diff --git a/SPECS/luajit/luajit.spec b/SPECS/luajit/luajit.spec
@@ -5,22 +5,23 @@ Name:           luajit
 Version:        2.1.0
 %global apiver %(v=%{version}; echo ${v%.${v#[0-9].[0-9].}})
 %global srcver %{version}%{?rctag:-%{rctag}}
-Release:        27%{?dist}
+Release:        28%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://luajit.org/
-Source0:        https://luajit.org/download/LuaJIT-%{srcver}.tar.gz
+Source0:        https://github.com/LuaJIT/LuaJIT/archive/refs/tags/v2.1.0-beta3.tar.gz#/LuaJIT-%{srcver}_v1.tar.gz
 
 # Patches from https://github.com/LuaJit/LuaJIT.git
 # Generated from v2.1 branch against the 2.1.0-beta3 tag using
 # git diff v2.1.0-beta3..v2.1 > luajit-2.1-update.patch
-Patch0: luajit-2.1-update.patch
+Patch0:         luajit-2.1-update.patch
 # Patches from https://github.com/cryptomilk/LuaJIT/commits/v2.1-fedora
 # git format-patch --stdout -l1 --no-renames v2.1..v2.1-fedora > luajit-2.1-fedora.patch
-Patch1: luajit-2.1-fedora.patch
+Patch1:         luajit-2.1-fedora.patch
 Patch2:         CVE-2024-25178.patch
 Patch3:         CVE-2024-25176.patch
+Patch4:         CVE-2024-25177.patch
 
 BuildRequires:  gcc
 BuildRequires:  make
@@ -96,6 +97,9 @@ make check || true
 %{_libdir}/pkgconfig/%{name}.pc
 
 %changelog
+* Tue Aug 05 2025 Kshitiz Godara <kgodara@microsoft.com> - 2.1.0-28
+- Patch for CVE-2024-25177
+
 * Thu Jul 17 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.1.0-27
 - Patch for CVE-2024-25178, CVE-2024-25176
 
diff --git a/cgmanifest.json b/cgmanifest.json
@@ -12572,7 +12572,7 @@
         "other": {
           "name": "luajit",
           "version": "2.1.0",
-          "downloadUrl": "https://luajit.org/download/LuaJIT-2.1.0-beta3.tar.gz"
+          "downloadUrl": "https://github.com/LuaJIT/LuaJIT/archive/refs/tags/v2.1.0-beta3.tar.gz"
         }
       }
     },

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`		`- "LuaJIT-2.1.0-beta3.tar.gz": "1ad2e34b111c802f9d0cdf019e986909123237a28c746b21295b63c9e785d9c3"`
	`3`	`+ "LuaJIT-2.1.0-beta3_v1.tar.gz": "409f7fe570d3c16558e594421c47bdd130238323c9d6fd6c83dedd2aaeb082a8"`
`4`	`4`	`}`
`5`		`-}`
	`5`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -12572,7 +12572,7 @@`
`12572`	`12572`	`"other": {`
`12573`	`12573`	`"name": "luajit",`
`12574`	`12574`	`"version": "2.1.0",`
`12575`		`- "downloadUrl": "https://luajit.org/download/LuaJIT-2.1.0-beta3.tar.gz"`
	`12575`	`+ "downloadUrl": "https://github.com/LuaJIT/LuaJIT/archive/refs/tags/v2.1.0-beta3.tar.gz"`
`12576`	`12576`	`}`
`12577`	`12577`	`}`
`12578`	`12578`	`},`