luajit: fix several CVEs

fix CVE-2024-25176, CVE-2024-25177, CVE-2024-25178

For apply CVE-2024-25178-0003.patch more smoothly,
CVE-2024-25178-0001.patch and CVE-2024-25178-0002.patch is backported.

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch

@@ -0,0 +1,32 @@
+From 810bf18ff0ddbae9b2ceb30dd8b9c901cc634d1f Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 5 Aug 2025 14:49:06 +0800
+Subject: [PATCH] Fix zero stripping in %g number formatting.
+
+Reported by pwnhacker0x18. #1149
+
+CVE: CVE-2024-25176
+Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_strfmt_num.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
+index 3c60695c..41214894 100644
+--- a/src/lj_strfmt_num.c
++++ b/src/lj_strfmt_num.c
+@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
+ 	    prec--;
+ 	    if (!i) {
+ 	      if (ndlo == ndhi) { prec = 0; break; }
+-	      lj_strfmt_wuint9(tail, nd[++ndlo]);
++	      ndlo = (ndlo + 1) & 0x3f;
++	      lj_strfmt_wuint9(tail, nd[ndlo]);
+ 	      i = 9;
+ 	    }
+ 	  }
+-- 
+2.34.1
+

meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch

@@ -0,0 +1,44 @@
+From c8421200e9accf5a10a52768bb3dca2f555bd092 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 5 Aug 2025 15:05:07 +0800
+Subject: [PATCH] Fix unsinking of IR_FSTORE for NULL metatable.
+
+Reported by pwnhacker0x18. #1147
+
+CVE: CVE-2024-25177
+Upstream-Status: Backport [https://github.com/openresty/luajit2/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_snap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/lj_snap.c b/src/lj_snap.c
+index 4140fdb7..d7027875 100644
+--- a/src/lj_snap.c
++++ b/src/lj_snap.c
+@@ -453,6 +453,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
+   case IR_KNUM: case IR_KINT64:
+     return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
+   case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir));  /* Continuation. */
++  case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
+   default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
+   }
+ }
+@@ -882,9 +883,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
+ 	if (irk->o == IR_FREF) {
+ 	  lj_assertJ(irk->op2 == IRFL_TAB_META,
+ 		     "sunk store with bad field %d", irk->op2);
++	if (T->ir[irs->op2].o == IR_KNULL) {
++	  setgcrefnull(t->metatable);
++	} else {
+ 	  snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
+ 	  /* NOBARRIER: The table is new (marked white). */
+ 	  setgcref(t->metatable, obj2gco(tabV(&tmp)));
++	}
+ 	} else {
+ 	  irk = &T->ir[irk->op2];
+ 	  if (irk->o == IR_KSLOT) irk = &T->ir[irk->op1];
+-- 
+2.34.1
+

meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0001.patch

@@ -0,0 +1,28 @@
+From d4fd9f2939645eb20616ced3bbffba609c1eeac6 Mon Sep 17 00:00:00 2001
+From: Mike Pall <mike>
+Date: Wed, 9 Nov 2022 11:01:41 +0100
+Subject: [PATCH 1/3] Ensure correct stack top for OOM error message.
+
+Reported by Sergey Kaplun.
+
+Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/ca8d3257bb44e42100c7910c47dcdcf01f494187]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_err.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/lj_err.c b/src/lj_err.c
+index 563c7706..283c3d18 100644
+--- a/src/lj_err.c
++++ b/src/lj_err.c
+@@ -777,6 +777,7 @@ LJ_NOINLINE void lj_err_mem(lua_State *L)
+ {
+   if (L->status == LUA_ERRERR+1)  /* Don't touch the stack during lua_open. */
+     lj_vm_unwind_c(L->cframe, LUA_ERRMEM);
++  if (curr_funcisL(L)) L->top = curr_topL(L);
+   setstrV(L, L->top++, lj_err_str(L, LJ_ERR_ERRMEM));
+   lj_err_throw(L, LUA_ERRMEM);
+ }
+-- 
+2.34.1
+

meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0002.patch

@@ -0,0 +1,49 @@
+From 4b736a552ff84d72f39aa0cf36eb8a4e1a77f350 Mon Sep 17 00:00:00 2001
+From: Mike Pall <mike>
+Date: Thu, 21 Sep 2023 01:58:43 +0200
+Subject: [PATCH 2/3] Cleanup stack overflow handling.
+
+Reported by Peter Cawley. #962
+
+Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/d2f6c55b05c716e5dbb479b7e684abaee7cf6e12]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_state.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/src/lj_state.c b/src/lj_state.c
+index 0b9c46ba..ccdfa381 100644
+--- a/src/lj_state.c
++++ b/src/lj_state.c
+@@ -103,8 +103,17 @@ void lj_state_shrinkstack(lua_State *L, MSize used)
+ void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
+ {
+   MSize n;
+-  if (L->stacksize > LJ_STACK_MAXEX)  /* Overflow while handling overflow? */
+-    lj_err_throw(L, LUA_ERRERR);
++  if (L->stacksize >= LJ_STACK_MAXEX) {
++    /* 4. Throw 'error in error handling' when we are _over_ the limit. */
++    if (L->stacksize > LJ_STACK_MAXEX)
++      lj_err_throw(L, LUA_ERRERR);  /* Does not invoke an error handler. */
++    /* 1. We are _at_ the limit after the last growth. */
++    if (!L->status) {  /* 2. Throw 'stack overflow'. */
++      L->status = LUA_ERRRUN;  /* Prevent ending here again for pushed msg. */
++      lj_err_msg(L, LJ_ERR_STKOV);  /* May invoke an error handler. */
++    }
++    /* 3. Add space (over the limit) for pushed message and error handler. */
++  }
+   n = L->stacksize + need;
+   if (n > LJ_STACK_MAX) {
+     n += 2*LUA_MINSTACK;
+@@ -114,8 +123,6 @@ void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
+       n = LJ_STACK_MAX;
+   }
+   resizestack(L, n);
+-  if (L->stacksize > LJ_STACK_MAXEX)
+-    lj_err_msg(L, LJ_ERR_STKOV);
+ }
+ 
+ void LJ_FASTCALL lj_state_growstack1(lua_State *L)
+-- 
+2.34.1
+

meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178-0003.patch

@@ -0,0 +1,163 @@
+From 891bd078750312746541327332071a8fc354c10b Mon Sep 17 00:00:00 2001
+From: Mike Pall <mike>
+Date: Sun, 4 Feb 2024 16:34:30 +0100
+Subject: [PATCH] Rework stack overflow handling.
+
+Reported by pwnhacker0x18. Fixed by Peter Cawley. #1152
+
+CVE: CVE-2024-25178
+Upstream-Status: Backport [https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8
+https://github.com/LuaJIT/LuaJIT/commit/0d313b243194a0b8d2399d8b549ca5a0ff234db5]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lj_debug.c |  1 +
+ src/lj_err.c   | 22 +++++++++++++++++---
+ src/lj_err.h   |  1 +
+ src/lj_state.c | 56 +++++++++++++++++++++++++++++++++-----------------
+ 4 files changed, 58 insertions(+), 22 deletions(-)
+
+diff --git a/src/lj_debug.c b/src/lj_debug.c
+index 112f5358..861fac6b 100644
+--- a/src/lj_debug.c
++++ b/src/lj_debug.c
+@@ -64,6 +64,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
+     if (cf == NULL || (char *)cframe_pc(cf) == (char *)cframe_L(cf))
+       return NO_BCPOS;
+     ins = cframe_pc(cf);  /* Only happens during error/hook handling. */
++    if (!ins) return NO_BCPOS;
+   } else {
+     if (frame_islua(nextframe)) {
+       ins = frame_pc(nextframe);
+diff --git a/src/lj_err.c b/src/lj_err.c
+index 283c3d18..b514df57 100644
+--- a/src/lj_err.c
++++ b/src/lj_err.c
+@@ -777,7 +777,14 @@ LJ_NOINLINE void lj_err_mem(lua_State *L)
+ {
+   if (L->status == LUA_ERRERR+1)  /* Don't touch the stack during lua_open. */
+     lj_vm_unwind_c(L->cframe, LUA_ERRMEM);
+-  if (curr_funcisL(L)) L->top = curr_topL(L);
++  if (curr_funcisL(L)) {
++    L->top = curr_topL(L);
++    if (LJ_UNLIKELY(L->top > tvref(L->maxstack))) {
++      /* The current Lua frame violates the stack. Replace it with a dummy. */
++      L->top = L->base;
++      setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
++    }
++  }
+   setstrV(L, L->top++, lj_err_str(L, LJ_ERR_ERRMEM));
+   lj_err_throw(L, LUA_ERRMEM);
+ }
+@@ -838,9 +845,11 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_run(lua_State *L)
+ {
+   ptrdiff_t ef = (LJ_HASJIT && tvref(G(L)->jit_base)) ? 0 : finderrfunc(L);
+   if (ef) {
+-    TValue *errfunc = restorestack(L, ef);
+-    TValue *top = L->top;
++    TValue *errfunc, *top;
++    lj_state_checkstack(L, LUA_MINSTACK * 2);  /* Might raise new error. */
+     lj_trace_abort(G(L));
++    errfunc = restorestack(L, ef);
++    top = L->top;
+     if (!tvisfunc(errfunc) || L->status == LUA_ERRERR) {
+       setstrV(L, top-1, lj_err_str(L, LJ_ERR_ERRERR));
+       lj_err_throw(L, LUA_ERRERR);
+@@ -865,6 +874,13 @@ LJ_NOINLINE void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode)
+ }
+ #endif
+ 
++/* Stack overflow error. */
++void LJ_FASTCALL lj_err_stkov(lua_State *L)
++{
++  lj_debug_addloc(L, err2msg(LJ_ERR_STKOV), L->base-1, NULL);
++  lj_err_run(L);
++}
++
+ /* Formatted runtime error message. */
+ LJ_NORET LJ_NOINLINE static void err_msgv(lua_State *L, ErrMsg em, ...)
+ {
+diff --git a/src/lj_err.h b/src/lj_err.h
+index bd4de9ae..a3aaa756 100644
+--- a/src/lj_err.h
++++ b/src/lj_err.h
+@@ -23,6 +23,7 @@ LJ_DATA const char *lj_err_allmsg;
+ LJ_FUNC GCstr *lj_err_str(lua_State *L, ErrMsg em);
+ LJ_FUNCA_NORET void LJ_FASTCALL lj_err_throw(lua_State *L, int errcode);
+ LJ_FUNC_NORET void lj_err_mem(lua_State *L);
++LJ_FUNC_NORET void LJ_FASTCALL lj_err_stkov(lua_State *L);
+ LJ_FUNC_NORET void LJ_FASTCALL lj_err_run(lua_State *L);
+ #if LJ_HASJIT
+ LJ_FUNCA_NORET void LJ_FASTCALL lj_err_trace(lua_State *L, int errcode);
+diff --git a/src/lj_state.c b/src/lj_state.c
+index ccdfa381..74725bbc 100644
+--- a/src/lj_state.c
++++ b/src/lj_state.c
+@@ -102,27 +102,45 @@ void lj_state_shrinkstack(lua_State *L, MSize used)
+ /* Try to grow stack. */
+ void LJ_FASTCALL lj_state_growstack(lua_State *L, MSize need)
+ {
+-  MSize n;
+-  if (L->stacksize >= LJ_STACK_MAXEX) {
+-    /* 4. Throw 'error in error handling' when we are _over_ the limit. */
+-    if (L->stacksize > LJ_STACK_MAXEX)
++  MSize n = L->stacksize + need;
++  if (LJ_LIKELY(n < LJ_STACK_MAX)) {  /* The stack can grow as requested. */
++    if (n < 2 * L->stacksize) {  /* Try to double the size. */
++      n = 2 * L->stacksize;
++      if (n > LJ_STACK_MAX)
++   n = LJ_STACK_MAX;
++    }
++    resizestack(L, n);
++  } else {  /* Request would overflow. Raise a stack overflow error. */
++    if (curr_funcisL(L)) {
++      L->top = curr_topL(L);
++      if (L->top > tvref(L->maxstack)) {
++   /* The current Lua frame violates the stack, so replace it with a
++   ** dummy. This can happen when BC_IFUNCF is trying to grow the stack.
++   */
++   L->top = L->base;
++    setframe_gc(L->base - 1 - LJ_FR2, obj2gco(L), LJ_TTHREAD);
++      }
++    }
++    if (L->stacksize <= LJ_STACK_MAXEX) {
++      /* An error handler might want to inspect the stack overflow error, but
++      ** will need some stack space to run in. We give it a stack size beyond
++      ** the normal limit in order to do so, then rely on lj_state_relimitstack
++      ** calls during unwinding to bring us back to a convential stack size.
++      ** The + 1 is space for the error message, and 2 * LUA_MINSTACK is for
++      ** the lj_state_checkstack() call in lj_err_run().
++      */
++      resizestack(L, LJ_STACK_MAX + 1 + 2 * LUA_MINSTACK);
++      lj_err_stkov(L);  /* May invoke an error handler. */
++    } else {
++      /* If we're here, then the stack overflow error handler is requesting
++      ** to grow the stack even further. We have no choice but to abort the
++      ** error handler.
++      */
++      GCstr *em = lj_err_str(L, LJ_ERR_STKOV);  /* Might OOM. */
++      setstrV(L, L->top++, em);  /* There is always space to push an error. */
+       lj_err_throw(L, LUA_ERRERR);  /* Does not invoke an error handler. */
+-    /* 1. We are _at_ the limit after the last growth. */
+-    if (!L->status) {  /* 2. Throw 'stack overflow'. */
+-      L->status = LUA_ERRRUN;  /* Prevent ending here again for pushed msg. */
+-      lj_err_msg(L, LJ_ERR_STKOV);  /* May invoke an error handler. */
+     }
+-    /* 3. Add space (over the limit) for pushed message and error handler. */
+-  }
+-  n = L->stacksize + need;
+-  if (n > LJ_STACK_MAX) {
+-    n += 2*LUA_MINSTACK;
+-  } else if (n < 2*L->stacksize) {
+-    n = 2*L->stacksize;
+-    if (n >= LJ_STACK_MAX)
+-      n = LJ_STACK_MAX;
+-  }
+-  resizestack(L, n);
++  } 
+ }
+ 
+ void LJ_FASTCALL lj_state_growstack1(lua_State *L)
+-- 
+2.34.1
+

meta-oe/recipes-devtools/luajit/luajit_git.bb

@@ -6,6 +6,11 @@ HOMEPAGE = "http://luajit.org"
 SRC_URI = "git://luajit.org/git/luajit-2.0.git;protocol=http;branch=v2.1 \
            file://0001-Do-not-strip-automatically-this-leaves-the-stripping.patch \
            file://clang.patch \
+           file://CVE-2024-25176.patch \
+           file://CVE-2024-25177.patch \
+           file://CVE-2024-25178-0001.patch \
+           file://CVE-2024-25178-0002.patch \
+           file://CVE-2024-25178-0003.patch \
            "
 
 # Set PV to a version tag and date (YYMMDD) associated with SRCREV if it is later.