summaryrefslogtreecommitdiff
path: root/mesecons_luacontroller
diff options
context:
space:
mode:
Diffstat (limited to 'mesecons_luacontroller')
-rw-r--r--mesecons_luacontroller/init.lua263
1 files changed, 216 insertions, 47 deletions
diff --git a/mesecons_luacontroller/init.lua b/mesecons_luacontroller/init.lua
index 93703d8..325e16f 100644
--- a/mesecons_luacontroller/init.lua
+++ b/mesecons_luacontroller/init.lua
@@ -13,8 +13,10 @@
-- newport = merge_port_states(state1, state2): just does result = state1 or state2 for every port
-- set_port(pos, rule, state): activates/deactivates the mesecons according to the port states
-- set_port_states(pos, ports): Applies new port states to a Luacontroller at pos
--- run(pos): runs the code in the controller at pos
--- reset_meta(pos, code, errmsg): performs a software-reset, installs new code and prints error messages
+-- run_inner(pos, code, event): runs code on the controller at pos and event
+-- reset_formspec(pos, code, errmsg): installs new code and prints error messages, without resetting LCID
+-- reset_meta(pos, code, errmsg): performs a software-reset, installs new code and prints error message
+-- run(pos, event): a wrapper for run_inner which gets code & handles errors via reset_meta
-- resetn(pos): performs a hardware reset, turns off all ports
--
-- The Sandbox
@@ -141,7 +143,7 @@ local function set_port_states(pos, ports)
-- Solution / Workaround:
-- Remember which output was turned off and ignore next "off" event.
local meta = minetest.get_meta(pos)
- local ign = minetest.deserialize(meta:get_string("ignore_offevents")) or {}
+ local ign = minetest.deserialize(meta:get_string("ignore_offevents"), true) or {}
if ports.a and not vports.a and not mesecon.is_powered(pos, rules.a) then ign.A = true end
if ports.b and not vports.b and not mesecon.is_powered(pos, rules.b) then ign.B = true end
if ports.c and not vports.c and not mesecon.is_powered(pos, rules.c) then ign.C = true end
@@ -183,7 +185,7 @@ end
local function ignore_event(event, meta)
if event.type ~= "off" then return false end
- local ignore_offevents = minetest.deserialize(meta:get_string("ignore_offevents")) or {}
+ local ignore_offevents = minetest.deserialize(meta:get_string("ignore_offevents"), true) or {}
if ignore_offevents[event.pin.name] then
ignore_offevents[event.pin.name] = nil
meta:set_string("ignore_offevents", minetest.serialize(ignore_offevents))
@@ -236,6 +238,7 @@ local function remove_functions(x)
local seen = {}
local function rfuncs(x)
+ if x == nil then return end
if seen[x] then return end
seen[x] = true
if type(x) ~= "table" then return end
@@ -259,37 +262,149 @@ local function remove_functions(x)
return x
end
-local function get_interrupt(pos)
+-- itbl: Flat table of functions to run after sandbox cleanup, used to prevent various security hazards
+local function get_interrupt(pos, itbl, send_warning)
-- iid = interrupt id
local function interrupt(time, iid)
+ -- NOTE: This runs within string metatable sandbox, so don't *rely* on anything of the form (""):y
+ -- Hence the values get moved out. Should take less time than original, so totally compatible
if type(time) ~= "number" then return end
- local luac_id = minetest.get_meta(pos):get_int("luac_id")
- mesecon.queue:add_action(pos, "lc_interrupt", {luac_id, iid}, time, iid, 1)
+ table.insert(itbl, function ()
+ -- Outside string metatable sandbox, can safely run this now
+ local luac_id = minetest.get_meta(pos):get_int("luac_id")
+ -- Check if IID is dodgy, so you can't use interrupts to store an infinite amount of data.
+ -- Note that this is safe from alter-after-free because this code gets run after the sandbox has ended.
+ -- This runs outside of the timer and *shouldn't* harm perf. unless dodgy data is being sent in the first place
+ iid = remove_functions(iid)
+ local msg_ser = minetest.serialize(iid)
+ if #msg_ser <= mesecon.setting("luacontroller_interruptid_maxlen", 256) then
+ mesecon.queue:add_action(pos, "lc_interrupt", {luac_id, iid}, time, iid, 1)
+ else
+ send_warning("An interrupt ID was too large!")
+ end
+ end)
end
return interrupt
end
-local function get_digiline_send(pos)
- if not digiline then return end
+-- Given a message object passed to digiline_send, clean it up into a form
+-- which is safe to transmit over the network and compute its "cost" (a very
+-- rough estimate of its memory usage).
+--
+-- The cleaning comprises the following:
+-- 1. Functions (and userdata, though user scripts ought not to get hold of
+-- those in the first place) are removed, because they break the model of
+-- Digilines as a network that carries basic data, and they could exfiltrate
+-- references to mutable objects from one Luacontroller to another, allowing
+-- inappropriate high-bandwidth, no-wires communication.
+-- 2. Tables are duplicated because, being mutable, they could otherwise be
+-- modified after the send is complete in order to change what data arrives
+-- at the recipient, perhaps in violation of the previous cleaning rule or
+-- in violation of the message size limit.
+--
+-- The cost indication is only approximate; it’s not a perfect measurement of
+-- the number of bytes of memory used by the message object.
+--
+-- Parameters:
+-- msg -- the message to clean
+-- back_references -- for internal use only; do not provide
+--
+-- Returns:
+-- 1. The cleaned object.
+-- 2. The approximate cost of the object.
+local function clean_and_weigh_digiline_message(msg, back_references)
+ local t = type(msg)
+ if t == "string" then
+ -- Strings are immutable so can be passed by reference, and cost their
+ -- length plus the size of the Lua object header (24 bytes on a 64-bit
+ -- platform) plus one byte for the NUL terminator.
+ return msg, #msg + 25
+ elseif t == "number" then
+ -- Numbers are passed by value so need not be touched, and cost 8 bytes
+ -- as all numbers in Lua are doubles.
+ return msg, 8
+ elseif t == "boolean" then
+ -- Booleans are passed by value so need not be touched, and cost 1
+ -- byte.
+ return msg, 1
+ elseif t == "table" then
+ -- Tables are duplicated. Check if this table has been seen before
+ -- (self-referential or shared table); if so, reuse the cleaned value
+ -- of the previous occurrence, maintaining table topology and avoiding
+ -- infinite recursion, and charge zero bytes for this as the object has
+ -- already been counted.
+ back_references = back_references or {}
+ local bref = back_references[msg]
+ if bref then
+ return bref, 0
+ end
+ -- Construct a new table by cleaning all the keys and values and adding
+ -- up their costs, plus 8 bytes as a rough estimate of table overhead.
+ local cost = 8
+ local ret = {}
+ back_references[msg] = ret
+ for k, v in pairs(msg) do
+ local k_cost, v_cost
+ k, k_cost = clean_and_weigh_digiline_message(k, back_references)
+ v, v_cost = clean_and_weigh_digiline_message(v, back_references)
+ if k ~= nil and v ~= nil then
+ -- Only include an element if its key and value are of legal
+ -- types.
+ ret[k] = v
+ end
+ -- If we only counted the cost of a table element when we actually
+ -- used it, we would be vulnerable to the following attack:
+ -- 1. Construct a huge table (too large to pass the cost limit).
+ -- 2. Insert it somewhere in a table, with a function as a key.
+ -- 3. Insert it somewhere in another table, with a number as a key.
+ -- 4. The first occurrence doesn’t pay the cost because functions
+ -- are stripped and therefore the element is dropped.
+ -- 5. The second occurrence doesn’t pay the cost because it’s in
+ -- back_references.
+ -- By counting the costs regardless of whether the objects will be
+ -- included, we avoid this attack; it may overestimate the cost of
+ -- some messages, but only those that won’t be delivered intact
+ -- anyway because they contain illegal object types.
+ cost = cost + k_cost + v_cost
+ end
+ return ret, cost
+ else
+ return nil, 0
+ end
+end
+
+
+-- itbl: Flat table of functions to run after sandbox cleanup, used to prevent various security hazards
+local function get_digiline_send(pos, itbl, send_warning)
+ if not minetest.global_exists("digilines") then return end
+ local chan_maxlen = mesecon.setting("luacontroller_digiline_channel_maxlen", 256)
+ local maxlen = mesecon.setting("luacontroller_digiline_maxlen", 50000)
return function(channel, msg)
+ -- NOTE: This runs within string metatable sandbox, so don't *rely* on anything of the form (""):y
+ -- or via anything that could.
-- Make sure channel is string, number or boolean
- if (type(channel) ~= "string" and type(channel) ~= "number" and type(channel) ~= "boolean") then
+ if type(channel) == "string" then
+ if #channel > chan_maxlen then
+ send_warning("Channel string too long.")
+ return false
+ end
+ elseif (type(channel) ~= "string" and type(channel) ~= "number" and type(channel) ~= "boolean") then
+ send_warning("Channel must be string, number or boolean.")
return false
end
- -- It is technically possible to send functions over the wire since
- -- the high performance impact of stripping those from the data has
- -- been decided to not be worth the added realism.
- -- Make sure serialized version of the data is not insanely long to
- -- prevent DoS-like attacks
- local msg_ser = minetest.serialize(msg)
- if #msg_ser > mesecon.setting("luacontroller_digiline_maxlen", 50000) then
+ local msg_cost
+ msg, msg_cost = clean_and_weigh_digiline_message(msg)
+ if msg == nil or msg_cost > maxlen then
+ send_warning("Message was too complex, or contained invalid data.")
return false
end
- minetest.after(0, function()
- digiline:receptor_send(pos, digiline.rules.default, channel, msg)
+ table.insert(itbl, function ()
+ -- Runs outside of string metatable sandbox
+ local luac_id = minetest.get_meta(pos):get_int("luac_id")
+ mesecon.queue:add_action(pos, "lc_digiline_relay", {channel, luac_id, msg})
end)
return true
end
@@ -297,11 +412,12 @@ end
local safe_globals = {
+ -- Don't add pcall/xpcall unless willing to deal with the consequences (unless very careful, incredibly likely to allow killing server indirectly)
"assert", "error", "ipairs", "next", "pairs", "select",
"tonumber", "tostring", "type", "unpack", "_VERSION"
}
-local function create_environment(pos, mem, event)
+local function create_environment(pos, mem, event, itbl, send_warning)
-- Gather variables for the environment
local vports = minetest.registered_nodes[minetest.get_node(pos).name].virtual_portstates
local vports_copy = {}
@@ -318,8 +434,8 @@ local function create_environment(pos, mem, event)
heat = mesecon.get_heat(pos),
heat_max = mesecon.setting("overheat_max", 20),
print = safe_print,
- interrupt = get_interrupt(pos),
- digiline_send = get_digiline_send(pos),
+ interrupt = get_interrupt(pos, itbl, send_warning),
+ digiline_send = get_digiline_send(pos, itbl, send_warning),
string = {
byte = string.byte,
char = string.char,
@@ -407,10 +523,11 @@ local function create_sandbox(code, env)
jit.off(f, true)
end
+ local maxevents = mesecon.setting("luacontroller_maxevents", 10000)
return function(...)
+ -- NOTE: This runs within string metatable sandbox, so the setting's been moved out for safety
-- Use instruction counter to stop execution
-- after luacontroller_maxevents
- local maxevents = mesecon.setting("luacontroller_maxevents", 10000)
debug.sethook(timeout, "", maxevents)
local ok, ret = pcall(f, ...)
debug.sethook() -- Clear hook
@@ -421,7 +538,7 @@ end
local function load_memory(meta)
- return minetest.deserialize(meta:get_string("lc_memory")) or {}
+ return minetest.deserialize(meta:get_string("lc_memory"), true) or {}
end
@@ -438,26 +555,42 @@ local function save_memory(pos, meta, mem)
end
end
-
-local function run(pos, event)
+-- Returns success (boolean), errmsg (string)
+-- run (as opposed to run_inner) is responsible for setting up meta according to this output
+local function run_inner(pos, code, event)
local meta = minetest.get_meta(pos)
- if overheat(pos) then return end
- if ignore_event(event, meta) then return end
+ -- Note: These return success, presumably to avoid changing LC ID.
+ if overheat(pos) then return true, "" end
+ if ignore_event(event, meta) then return true, "" end
-- Load code & mem from meta
local mem = load_memory(meta)
local code = meta:get_string("code")
+ -- 'Last warning' label.
+ local warning = ""
+ local function send_warning(str)
+ warning = "Warning: " .. str
+ end
+
-- Create environment
- local env = create_environment(pos, mem, event)
+ local itbl = {}
+ local env = create_environment(pos, mem, event, itbl, send_warning)
-- Create the sandbox and execute code
local f, msg = create_sandbox(code, env)
- if not f then return msg end
+ if not f then return false, msg end
+ -- Start string true sandboxing
+ local onetruestring = getmetatable("")
+ -- If a string sandbox is already up yet inconsistent, something is very wrong
+ assert(onetruestring.__index == string)
+ onetruestring.__index = env.string
local success, msg = pcall(f)
- if not success then return msg end
+ onetruestring.__index = string
+ -- End string true sandboxing
+ if not success then return false, msg end
if type(env.port) ~= "table" then
- return "Ports set are invalid."
+ return false, "Ports set are invalid."
end
-- Actually set the ports
@@ -465,17 +598,18 @@ local function run(pos, event)
-- Save memory. This may burn the luacontroller if a memory overflow occurs.
save_memory(pos, meta, env.mem)
-end
-mesecon.queue:add_function("lc_interrupt", function (pos, luac_id, iid)
- -- There is no luacontroller anymore / it has been reprogrammed / replaced / burnt
- if (minetest.get_meta(pos):get_int("luac_id") ~= luac_id) then return end
- if (minetest.registered_nodes[minetest.get_node(pos).name].is_burnt) then return end
- run(pos, {type="interrupt", iid = iid})
-end)
+ -- Execute deferred tasks
+ for _, v in ipairs(itbl) do
+ local failure = v()
+ if failure then
+ return false, failure
+ end
+ end
+ return true, warning
+end
-local function reset_meta(pos, code, errmsg)
- local meta = minetest.get_meta(pos)
+local function reset_formspec(meta, code, errmsg)
meta:set_string("code", code)
code = minetest.formspec_escape(code or "")
errmsg = minetest.formspec_escape(tostring(errmsg or ""))
@@ -485,13 +619,50 @@ local function reset_meta(pos, code, errmsg)
"image_button[4.75,8.75;2.5,1;jeija_luac_runbutton.png;program;]"..
"image_button_exit[11.72,-0.25;0.425,0.4;jeija_close_window.png;exit;]"..
"label[0.1,9;"..errmsg.."]")
+end
+
+local function reset_meta(pos, code, errmsg)
+ local meta = minetest.get_meta(pos)
+ reset_formspec(meta, code, errmsg)
meta:set_int("luac_id", math.random(1, 65535))
end
+-- Wraps run_inner with LC-reset-on-error
+local function run(pos, event)
+ local meta = minetest.get_meta(pos)
+ local code = meta:get_string("code")
+ local ok, errmsg = run_inner(pos, code, event)
+ if not ok then
+ reset_meta(pos, code, errmsg)
+ else
+ reset_formspec(meta, code, errmsg)
+ end
+ return ok, errmsg
+end
+
local function reset(pos)
set_port_states(pos, {a=false, b=false, c=false, d=false})
end
+-----------------------
+-- A.Queue callbacks --
+-----------------------
+
+mesecon.queue:add_function("lc_interrupt", function (pos, luac_id, iid)
+ -- There is no luacontroller anymore / it has been reprogrammed / replaced / burnt
+ if (minetest.get_meta(pos):get_int("luac_id") ~= luac_id) then return end
+ if (minetest.registered_nodes[minetest.get_node(pos).name].is_burnt) then return end
+ run(pos, {type="interrupt", iid = iid})
+end)
+
+mesecon.queue:add_function("lc_digiline_relay", function (pos, channel, luac_id, msg)
+ if not digiline then return end
+ -- This check is only really necessary because in case of server crash, old actions can be thrown into the future
+ if (minetest.get_meta(pos):get_int("luac_id") ~= luac_id) then return end
+ if (minetest.registered_nodes[minetest.get_node(pos).name].is_burnt) then return end
+ -- The actual work
+ digiline:receptor_send(pos, digiline.rules.default, channel, msg)
+end)
-----------------------
-- Node Registration --
@@ -518,6 +689,7 @@ local digiline = {
receptor = {},
effector = {
action = function(pos, node, channel, msg)
+ msg = clean_and_weigh_digiline_message(msg)
run(pos, {type = "digiline", channel = channel, msg = msg})
end
}
@@ -531,12 +703,7 @@ end
local function set_program(pos, code)
reset(pos)
reset_meta(pos, code)
- local err = run(pos, {type="program"})
- if err then
- reset_meta(pos, code, err)
- return false, err
- end
- return true
+ return run(pos, {type="program"})
end
local function on_receive_fields(pos, form_name, fields, sender)
@@ -625,6 +792,7 @@ for d = 0, 1 do
},
inventory_image = top,
paramtype = "light",
+ is_ground_content = false,
groups = groups,
drop = BASENAME.."0000",
sunlight_propagates = true,
@@ -672,6 +840,7 @@ minetest.register_node(BASENAME .. "_burnt", {
inventory_image = "jeija_luacontroller_burnt_top.png",
is_burnt = true,
paramtype = "light",
+ is_ground_content = false,
groups = {dig_immediate=2, not_in_creative_inventory=1},
drop = BASENAME.."0000",
sunlight_propagates = true,