RE: Bug: Segfault calling tostring on a result from debug.getlocal

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: RE: Bug: Segfault calling tostring on a result from debug.getlocal
From: Dan Tull <dtull@...>
Date: Fri, 20 Apr 2012 13:00:41 -0700

I was also thinking of adding a lua_assert to the switch block in 
lua_getmetatable so that if any other such bugs occur, the attempt 
to index outside the mt array fails noisily (in debug builds, anyway).

Thanks -- DT

________________________________________
From: lua-l-bounces@lists.lua.org [lua-l-bounces@lists.lua.org] On Behalf Of Peter Cawley [lua@corsix.org]
Sent: Friday, April 20, 2012 2:52 PM
To: Lua mailing list
Subject: Re: Bug: Segfault calling tostring on a result from debug.getlocal

On Fri, Apr 20, 2012 at 8:40 PM, Roberto Ierusalimschy
<roberto@inf.puc-rio.br> wrote:
> Many thanks for the report. A quick fix would be to filter out that
> values in lua_getlocal; maybe a better (but more extensive) fix would be
> to avoid putting prototypes in the stack in the first place.

For what it's worth, I'd lead toward the extensive fix; due to
load()'s callback, malicious bytecode can grab the prototype whilst
avoiding lua_getlocal's hypothetical filter. Albeit you may have
bigger problems if malicious bytecode is flying around, but it would
mean one less path to exploitation.

References:
- Bug: Segfault calling tostring on a result from debug.getlocal, Dan Tull
- Re: Bug: Segfault calling tostring on a result from debug.getlocal, Roberto Ierusalimschy
- Re: Bug: Segfault calling tostring on a result from debug.getlocal, Peter Cawley

Prev by Date: Re: Bug: Segfault calling tostring on a result from debug.getlocal
Next by Date: Re: Lua in iBooks Author?
Previous by thread: Re: Bug: Segfault calling tostring on a result from debug.getlocal
Next by thread: Lua in iBooks Author?
Index(es):
- Date
- Thread