Re: Use-After-Free Vulnerability in Lua

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Use-After-Free Vulnerability in Lua
From: Roberto Ierusalimschy <roberto@...>
Date: Fri, 8 Jun 2018 11:38:06 -0300

> I found a use-after-free vulnerability caused by the following input:
> ({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1
> 
> I am not sure what the root cause of this problem is but when I
> execute this code in lua, which was compiled with ASAN, I get the
> following output:
> 
> [...]

>>From the Lua manual:

	The Debug Library
        [...]
        You should exert care when using this library.  Several of its
        functions violate basic assumptions about Lua code (e.g., that
        variables local to a function cannot be accessed from outside;
        that userdata metatables cannot be changed by Lua code; that Lua
        programs do not crash) and therefore can compromise otherwise
        secure code.

In your example, the call "debug.setlocal(1, 1 .. [[]], 'a')",
which can be simplified to "debug.setlocal(1, 1, 'a')", is changing
the table being constructed into a string. Because Lua itself created
that table, it does not check its type when adding the element inside
the constructor. The result is that Lua will handle the string 'a' as
if it was a table...

-- Roberto

References:
- Use-After-Free Vulnerability in Lua, Daniel Teuchert

Prev by Date: Re: Use-After-Free Vulnerability in Lua
Next by Date: Re: Setting Float Precision in Lua.c
Previous by thread: Re: Use-After-Free Vulnerability in Lua
Next by thread: Properly expanding lightuserdata in Lua 5.3.
Index(es):
- Date
- Thread