Redis Problems merging changes from 6.2.7 to 6.2.6 on luajit fork

I have a fork of redis 6.2.6 with luajit.

However redis 6.2 is now at 6.2.7.

I tried to merge into my fork with the newest changes, I tried to merge and got this error message. I'm just wondering what may have changed and what I can do to fix it.

https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:700

scripting.c: In function ‘luaSetTableProtectionRecursively’:
[700](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:701)
scripting.c:1212:9: error: implicit declaration of function ‘lua_isreadonlytable’; did you mean ‘lua_createtable’? [-Werror=implicit-function-declaration]
[701](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:702)
 1212 |     if (lua_isreadonlytable(lua, -1)) {
[702](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:703)
      |         ^~~~~~~~~~~~~~~~~~~
[703](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:704)
      |         lua_createtable
[704](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:705)
scripting.c:1217:5: error: implicit declaration of function ‘lua_enablereadonlytable’ [-Werror=implicit-function-declaration]
[705](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:706)
 1217 |     lua_enablereadonlytable(lua, -1, 1);
[706](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:707)
      |     ^~~~~~~~~~~~~~~~~~~~~~~
[707](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:708)
cc1: all warnings being treated as errors
[708](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:709)
make[2]: *** [Makefile:376: scripting.o] Error 1
[709](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:710)
make[2]: Leaving directory '/home/runner/work/redis-luajit/redis-luajit/src'
[710](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:711)
make[1]: Leaving directory '/home/runner/work/redis-luajit/redis-luajit/src'
[711](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:712)
make[1]: *** [Makefile:418: 32bit] Error 2
[712](https://github.com/zcaudate/redis-luajit/runs/7401721241?check_suite_focus=true#step:3:713)
make: *** [Makefile:6: 32bit] Error 2

Comment From: madolson

@MeirShpilraien This looks like the readonly work you did, care to answer?

Comment From: sundb

@zcaudate You're using submodule to bring in luajit, it looks like you should bring in the luajit source code, and modify it like https://github.com/redis/redis/commit/11b602fbf8f9cdf8fc741c24625ab6287ab998a9

Comment From: zcaudate

@sundb so it should work if I add functions from lapi.c and lua.h?

Comment From: zcaudate

Hmm... looking at this commit... there's quite a bit going on.

luajit doesn't have lapi.c or the LUA_API macro. So I'm not sure how to put the function in.

---

Also, doesn't luaLoadLib already enforce library allowed lists?

https://github.com/zcaudate/redis-luajit/blob/bc91d11b11c7055935bf038ecb90bb58389de4a9/src/scripting.c#L1058-L1067

Comment From: MeirShpilraien

Hey @zcaudate,

The API you need to add to Luajit in order to be able to compile was added on the following commits: * https://github.com/redis/redis/commit/13c1e1f2986adcd8788f464a1931cdfe744f15f9 * lua_enablereadonlytable * https://github.com/redis/redis/commit/11b602fbf8f9cdf8fc741c24625ab6287ab998a9 * lua_isreadonlytable

The purpose is to close CVE-2022-24735 : https://github.com/redis/redis/security/advisories/GHSA-647m-2wmq-qmvq

Also, doesn't luaLoadLib already enforce library allowed lists?

The allowed list was added to be more safe in the future and prevent mistakes. It has nothing to do with the the new Lua API.

If you want to disable the use of this new API on your fork, I can guide you on how to do this, but then you will be expose to CVE-2022-24735 that was mentioned above.

Comment From: zcaudate

@MeirShpilraien, thanks for the explanation and also for pointing out the commits.

I got a reply here about adding these apis to luajit and it's definitely beyond me: https://github.com/LuaJIT/LuaJIT/issues/868#issuecomment-1188893283

I'll need to kick the can down the road for this one....

Comment From: oranagra

closing as answered.. the fork with LuaJIT is out of scope in this repo.