I played around with lua + libfuzzer and can't continue because it always stops because of the sheer numbers of luaL_loadbuffer calls results into a heap-buffer-overflow.
#include <stdlib.h>
#include "lua.h"
#include "lauxlib.h"
#include "lualib.h"
unsigned long long persist_cnt;
int main(int argc, char** argv) {
lua_State* L = luaL_newstate();
unsigned long long persist_max = getenv("PERSIST_MAX") ?
strtoull(getenv("PERSIST_MAX"), 0, 0) : 1010000;
try_again:
luaL_loadbuffer(L, 0, 0, "stdin");
if (persist_cnt++ < persist_max) {
goto try_again;
}
lua_close(L);
return 0;
}
PERSIST_MAX=1010000 ./lua-clang-main
=================================================================
==32128==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff410865880 at pc 0x00000069c095 bp 0x7ffc3e6b4b70 sp 0x7ffc3e6b4b68
WRITE of size 8 at 0x7ff410865880 thread T0
#0 0x69c094 in luaY_parser(lua_State*, Zio*, Mbuffer*, Dyndata*, char const*, int) /home/skomski/Code/lua_test/lua-5.3.1/src/lparser.c:1628:3
#1 0x5ef4ae in f_parser(lua_State*, void*) /home/skomski/Code/lua_test/lua-5.3.1/src/ldo.c:691:10
#2 0x5cf6ff in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) /home/skomski/Code/lua_test/lua-5.3.1/src/ldo.c:142:3
#3 0x5ed53a in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) /home/skomski/Code/lua_test/lua-5.3.1/src/ldo.c:644:12
#4 0x5ee577 in luaD_protectedparser(lua_State*, Zio*, char const*, char const*) /home/skomski/Code/lua_test/lua-5.3.1/src/ldo.c:708:12
#5 0x541d8c in lua_load(lua_State*, char const* (*)(lua_State*, void*, unsigned long*), void*, char const*, char const*) /home/skomski/Code/lua_test/lua-5.3.1/src/lapi.c:975:12
#6 0x565acf in luaL_loadbufferx(lua_State*, char const*, unsigned long, char const*, char const*) /home/skomski/Code/lua_test/lua-5.3.1/src/lauxlib.c:698:10
#7 0x7da479 in main /home/skomski/Code/lua_test/main_simple.cc:16:3
#8 0x7ff567e9978f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
#9 0x419968 in _start (/home/skomski/Code/lua_test/lua-clang-main+0x419968)
0x7ff410865880 is located 0 bytes to the right of 16003200-byte region [0x7ff40f922800,0x7ff410865880)
allocated by thread T0 here:
#0 0x4afcd0 in realloc /home/skomski/Code/llvm-related/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
#1 0x568a89 in l_alloc(void*, void*, unsigned long, unsigned long) /home/skomski/Code/lua_test/lua-5.3.1/src/lauxlib.c:944:12
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/skomski/Code/lua_test/lua-5.3.1/src/lparser.c:1628:3 in luaY_parser(lua_State*, Zio*, Mbuffer*, Dyndata*, char const*, int)
Shadow bytes around the buggy address:
0x0fff02104ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff02104ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff02104ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff02104af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff02104b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff02104b10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff02104b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff02104b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff02104b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff02104b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fff02104b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
==32128==ABORTING
[1] 32128 exit 1 PERSIST_MAX=1010000 ./lua-clang-main
PERSIST_MAX=1010000 ./lua-clang-main 11.08s user 0.47s system 99% cpu 11.590 total
Kind regards,
Karl Skomski
