Specially crafted binary chunks can cause Lua to crash

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Specially crafted binary chunks can cause Lua to crash
From: "Peter Cawley" <lua@...>
Date: Mon, 24 Mar 2008 19:30:13 +0000

Consider the following code:

s = string.dump(function() return end)
pre, post = s:find(string.char(30, 0, 128, 0), 1, true)
assert(loadstring(s:sub(1, pre - 1) .. string.char(34, 0, 0, 0) ..
s:sub(post + 1, -1)))()

When run, it can cause the Lua interpreter to crash. First it creates
a function whose opcodes are:
RETURN
RETURN

Then it dumps this to a string and replaces the first RETURN with a
SETLIST, loads this modified chunk and executes it. The Lua VM
executes the SETLIST instruction, and as C is 0, it skips the next
instruction and uses it as a list offset. The VM now continues to
execute whatever came after the final RETURN, which will be whatever
is in memory after the end of the instruction array. Worst case is
that these instructions cause a segfault, best case is a runtime
error.

Potential fix would be to add the following line to the precheck
function in ldebug.c:
if(pt->sizecode > 1) check(GET_OPCODE(pt->code[pt->sizecode-2]) != OP_SETLIST);

Follow-Ups:
- Re: Specially crafted binary chunks can cause Lua to crash, Daniel Stephens

Prev by Date: Re: Using file metatable, cause segfault
Next by Date: Re: Specially crafted binary chunks can cause Lua to crash
Previous by thread: Re: Using file metatable, cause segfault
Next by thread: Re: Specially crafted binary chunks can cause Lua to crash
Index(es):
- Date
- Thread