Fix error generation in load*.

Mike Pall · Buristan · commit 046e9b3a0404 · 2025-07-01T18:07:06.000+03:00
Reported by Sergey Kaplun. (cherry picked from commit e76bb50) The chunkname pointer to the "@filename" is put on the Lua stack before the `lua_loadx()` and is removed right before the next `lua_pushfstring()` in case of the error. If the GC takes the step right at this moment inside `lua_pushfstring()` the string may be collected, and the next read from this `chunkname + 1` is from the deallocated memory. This patch fixes this by using the source string (or the constant one) instead. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#11278 Reviewed-by: Sergey Bronnikov <sergeyb@tarantool.org> Signed-off-by: Sergey Kaplun <skaplun@tarantool.org>
diff --git a/src/lj_load.c b/src/lj_load.c
@@ -108,8 +108,9 @@ LUALIB_API int luaL_loadfilex(lua_State *L, const char *filename,
     copyTV(L, L->top-1, L->top);
   }
   if (err) {
+    const char *fname = filename ? filename : "stdin";
     L->top--;
-    lua_pushfstring(L, "cannot read %s: %s", chunkname+1, strerror(err));
+    lua_pushfstring(L, "cannot read %s: %s", fname, strerror(err));
     return LUA_ERRFILE;
   }
   return status;
diff --git a/test/tarantool-tests/lj-1353-loadfile-err-use-after-free.test.lua b/test/tarantool-tests/lj-1353-loadfile-err-use-after-free.test.lua
@@ -0,0 +1,39 @@
+local tap = require('tap')
+
+-- Test file to demonstrate LuaJIT use-after-free in case of the
+-- error in `loadfile()`.
+-- See also: https://github.com/LuaJIT/LuaJIT/issues/1353.
+local test = tap.test('lj-1353-loadfile-err-use-after-free'):skipcond({
+  ['Too many GC objects on start'] = _TARANTOOL,
+})
+
+test:plan(1)
+
+-- Determine the GC step size to finish the GC cycle in one step.
+local full_step = 1
+while true do
+  collectgarbage('collect')
+  collectgarbage('setpause', 0)
+  collectgarbage('setstepmul', full_step)
+  if collectgarbage('step') then break end
+  full_step = full_step + 1
+end
+
+-- Check all possible GC step sizes.
+for i = 1, full_step do
+  collectgarbage('collect')
+  collectgarbage('setpause', 0)
+  collectgarbage('setstepmul', i)
+  repeat
+    -- On Linux-like systems this always returns `nil`, with the
+    -- error: "cannot read .: Is a directory"
+    -- The string for the filename "@." may be collected during
+    -- the call, and later the pointer to the "." from that string
+    -- is used after the string is free.
+    loadfile('.')
+  until collectgarbage('step')
+end
+
+test:ok(true, 'no use-after-free error')
+
+test:done(true)

Original file line number	Diff line number	Diff line change
`@@ -108,8 +108,9 @@ LUALIB_API int luaL_loadfilex(lua_State L, const char filename,`
`108`	`108`	`copyTV(L, L->top-1, L->top);`
`109`	`109`	`}`
`110`	`110`	`if (err) {`
	`111`	`+ const char *fname = filename ? filename : "stdin";`
`111`	`112`	`L->top--;`
`112`		`- lua_pushfstring(L, "cannot read %s: %s", chunkname+1, strerror(err));`
	`113`	`+ lua_pushfstring(L, "cannot read %s: %s", fname, strerror(err));`
`113`	`114`	`return LUA_ERRFILE;`
`114`	`115`	`}`
`115`	`116`	`return status;`