Page MenuHomePhabricator
Create Task
Maniphest T210634

Scribunto test “LuaStandalone: SecurityTests[1]: CVE-2014-5461” failing in Wikibase CI builds
Closed, ResolvedPublic
Actions

Description

In Wikidata-related repositories, we’re experiencing random CI failures with the following error (example build) since yesterday evening (I think):

There was 1 failure:

1) LuaStandalone: SecurityTests[1]: CVE-2014-5461
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'ERROR: stack overflow'
+'ERROR: not enough memory'

/workspace/src/extensions/Scribunto/tests/phpunit/engines/LuaCommon/LuaEngineTestBase.php:261
/workspace/src/tests/phpunit/MediaWikiTestCase.php:424
/workspace/src/maintenance/doMaintenance.php:94

This is impacting our ability to merge changes, including the fix to T210617, a train blocker.

Details

SubjectRepoBranchLines +/-
Fix stack overflows being reported as OOM errorsmediawiki/extensions/Scribuntomaster+4 -0
Customize query in gerrit

Related Objects

Event Timeline

Lucas_Werkmeister_WMDE created this task.Nov 28 2018, 5:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 28 2018, 5:22 PM
Lucas_Werkmeister_WMDE renamed this task from LuaStandalone: SecurityTests[1]: CVE-2014-5461 failing to Scribunto test “LuaStandalone: SecurityTests[1]: CVE-2014-5461” failing in Wikibase CI builds.Nov 28 2018, 5:29 PM
Lucas_Werkmeister_WMDE updated the task description. (Show Details)
Lucas_Werkmeister_WMDE added a project: Continuous-Integration-Config.
Anomie subscribed.Nov 28 2018, 7:54 PM

Apparently the test added for T209232: Add a unit test to Scribunto testing it is not vulnerable to CVE-2014-5461 is sometimes running out of allowed memory (set by ulimit most likely) before it runs out of Lua stack space (a constant set in Lua's C code), so it's giving a different error from the one that was expected.

If nothing else we could revert rELUA7a7f5226765e: Adding a unit test for CVE-2014-5461 in Scribunto. and let them try again on that task.

Anomie added a subscriber: Bawolff.Nov 28 2018, 7:55 PM
Bawolff added a comment.Nov 28 2018, 9:08 PM

The gci task is already accepted - we cant force the student to do more work (we can of course ask nicely)

In T210634#4782783, @Anomie wrote:

Apparently the test added for T209232: Add a unit test to Scribunto testing it is not vulnerable to CVE-2014-5461 is sometimes running out of allowed memory (set by ulimit most likely) before it runs out of Lua stack space (a constant set in Lua's C code), so it's giving a different error from the one that was expected.

If nothing else we could revert rELUA7a7f5226765e: Adding a unit test for CVE-2014-5461 in Scribunto. and let them try again on that task.

Anomie added a comment.Nov 28 2018, 10:48 PM

Or you could have someone else try it again.

matmarex subscribed.Nov 29 2018, 12:58 AM

Also occurred on https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Math/+/476339

Jdforrester-WMF subscribed.Nov 29 2018, 3:01 AM
hoo subscribed.Nov 29 2018, 3:24 AM
Michael subscribed.Nov 30 2018, 12:24 PM
gerritbot subscribed.Nov 30 2018, 1:55 PM

Change 476854 had a related patch set uploaded (by Lucas Werkmeister (WMDE); owner: Lucas Werkmeister (WMDE)):
[mediawiki/extensions/Scribunto@master] Fix stack overflows being reported as OOM errors

https://gerrit.wikimedia.org/r/476854

gerritbot added a project: Patch-For-Review.Nov 30 2018, 1:55 PM
Lucas_Werkmeister_WMDE added a comment.Nov 30 2018, 5:48 PM

The change adding the test was reverted in Id2eeeb781b (I’m not sure why @gerritbot didn’t leave a comment), and since then I haven’t seen any more occurrences of this bug, so the CI issue seems to be resolved.

However, I assume we still want to have some test for CVE-2014-5461, so I’m not sure how to proceed. Perhaps close this task and reopen T209232: Add a unit test to Scribunto testing it is not vulnerable to CVE-2014-5461? (Though I’m not sure if it’s still suitable for GCI with these added complications.)

Anomie closed this task as Resolved.Nov 30 2018, 6:43 PM
Anomie assigned this task to Lucas_Werkmeister_WMDE.
In T210634#4789618, @Lucas_Werkmeister_WMDE wrote:

The change adding the test was reverted in Id2eeeb781b (I’m not sure why @gerritbot didn’t leave a comment), and since then I haven’t seen any more occurrences of this bug, so the CI issue seems to be resolved.

@gerritbot didn't leave a comment here because Id2eeeb781b didn't mention this task in a bug footer (or maybe in the whole commit summary, I forget whether it's only the footer that counts or not).

However, I assume we still want to have some test for CVE-2014-5461, so I’m not sure how to proceed. Perhaps close this task and reopen T209232: Add a unit test to Scribunto testing it is not vulnerable to CVE-2014-5461? (Though I’m not sure if it’s still suitable for GCI with these added complications.)

Sounds good to me, I'm going to do that. Whether it's still suitable for GCI or not can be discussed on that task as well.

Anomie mentioned this in T209232: Add a unit test to Scribunto testing it is not vulnerable to CVE-2014-5461.Nov 30 2018, 6:46 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:38 PM
gerritbot added a comment.Sep 30 2022, 1:56 AM

Change 476854 abandoned by Legoktm:

[mediawiki/extensions/Scribunto@master] Fix stack overflows being reported as OOM errors

Reason:

Abandoning because the test was reverted, I think a better direction is to fix the test framework to somehow handle both errors instead of rewriting errors. (Please restore if you disagree!)

https://gerrit.wikimedia.org/r/476854

Maintenance_bot removed a project: Patch-For-Review.Sep 30 2022, 2:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL