#40 - Implement safeCall to spoof the stack #45
Conversation
|
I've identified an unfortunate core problem with this: By default, LuaJIT will attempt to resolve the name of the current function by traversing one frame below, and reading the Lua frame (if any)'s last call instruction to determine the slot it used, then looking up the slot's name. We basically totally destroy this with our detour frames and whatnot, and marking as dummy frames doesn't work for this. /* Deduce function name from caller of a frame. */
const char *lj_debug_funcname(lua_State *L, cTValue *frame, const char **name)
{
cTValue *pframe;
GCfunc *fn;
BCPos pc;
if (frame <= tvref(L->stack)+LJ_FR2)
return NULL;
if (frame_isvarg(frame))
frame = frame_prevd(frame);
pframe = frame_prev(frame);
fn = frame_func(pframe);
pc = debug_framepc(L, fn, frame);
if (pc != NO_BCPOS) {
GCproto *pt = funcproto(fn);
const BCIns *ip = &proto_bc(pt)[check_exp(pc < pt->sizebc, pc)];
MMS mm = bcmode_mm(bc_op(*ip));
if (mm == MM_call) {
BCReg slot = bc_a(*ip);
if (bc_op(*ip) == BC_ITERC) slot -= 3;
return lj_debug_slotname(pt, ip, slot, name);
} else if (mm != MM__MAX) {
*name = strdata(mmname_str(G(L), mm));
return "metamethod";
}
}
return NULL;
}We can't do any tricks like resizing a frame either because it violates the typical delta frame assumptions LuaJIT makes and would likely result in a crash. The only promising thing, in my opinion, is to hook this function natively, walk the frame down to the next Lua frame, go one frame before that, and call this function again with the proper frame. |
packages/autorun-env/src/functions/auth/hooks/lj_debug_funcname.rs
Outdated
Show resolved
Hide resolved
packages/autorun-env/src/functions/auth/hooks/lj_debug_funcname.rs
Outdated
Show resolved
Hide resolved
This one is funny because it can also leak Autorun's presence in the stack.
It sucks that its a constant, but since I now force all the call frames to generate (including the closure wrapper), there's an extra two now.
|
There were some problems with adjusting to the new call frames introduced by Here are some test results (method of test is some function that somehow lets you run arbitrary code in Autorun's context, the worst-case scenario): ProtectedUnprotected |
yogwoggf
changed the title
|
Ready for review. Also would be nice if you could test this branch @thevurv . You should be able to load a map like usual, and it shouldn't crash.. hopefully. |
|
also do not merge yet cause it's still quite experimental but I requested a review to get rid of any major blockers |
Now, we default to zero for any native errors. This is in line with GMod, which does the same and this is why native errors never have a source attached.
|
Starting to notice crashes and general instability... keeping as draft for now |
Resolves #40
Resolves #43
Changes
protections.luathat installs a few necessary and critical safe-call wrappers to protect Autorun. This is NOT something related to Safety Equivalent #10 .lj_debug_funcnameto frame stitch the original call stack and restores proper errors for fast functions without anything unusual happening.pcall_forwardanderrorto LuaApi which enables Autorun to finally error properly in the proper format expected without anything seeming off. The detour handler now forwards these errors properly, so erroring inside of a detour functions as expected.LuaApi,luaL_where,lua_concatandlua_removeExample for the new error handling:
Source:
It is a bit cumbersome to need to use the global variant of error, but we can't use the typical error or else it will bypass the safe calling mechanism and violate new assumptions held by the hooks and such.