lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


I played around with lua + libfuzzer and can't continue because it always stops because of the sheer numbers of luaL_loadbuffer calls results into a heap-buffer-overflow.

#include <stdlib.h>

#include "lua.h"
#include "lauxlib.h"
#include "lualib.h"

unsigned long long  persist_cnt;

int main(int argc, char** argv) {
  lua_State* L = luaL_newstate();

  unsigned long long persist_max = getenv("PERSIST_MAX") ?
    strtoull(getenv("PERSIST_MAX"), 0, 0) : 1010000;

try_again:
  luaL_loadbuffer(L, 0, 0, "stdin");

  if (persist_cnt++ < persist_max) {
    goto try_again;
  }

  lua_close(L);

  return 0;
}

PERSIST_MAX=1010000 ./lua-clang-main 
=================================================================
==32128==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff410865880 at pc 0x00000069c095 bp 0x7ffc3e6b4b70 sp 0x7ffc3e6b4b68
WRITE of size 8 at 0x7ff410865880 thread T0
    #0 0x69c094 in luaY_parser(lua_State*, Zio*, Mbuffer*, Dyndata*, char const*, int) /home/skomski/Code/lua_test/lua-5.3.1/src/lparser.c:1628:3
    #1 0x5ef4ae in f_parser(lua_State*, void*) /home/skomski/Code/lua_test/lua-5.3.1/src/ldo.c:691:10
    #2 0x5cf6ff in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) /home/skomski/Code/lua_test/lua-5.3.1/src/ldo.c:142:3
    #3 0x5ed53a in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) /home/skomski/Code/lua_test/lua-5.3.1/src/ldo.c:644:12
    #4 0x5ee577 in luaD_protectedparser(lua_State*, Zio*, char const*, char const*) /home/skomski/Code/lua_test/lua-5.3.1/src/ldo.c:708:12
    #5 0x541d8c in lua_load(lua_State*, char const* (*)(lua_State*, void*, unsigned long*), void*, char const*, char const*) /home/skomski/Code/lua_test/lua-5.3.1/src/lapi.c:975:12
    #6 0x565acf in luaL_loadbufferx(lua_State*, char const*, unsigned long, char const*, char const*) /home/skomski/Code/lua_test/lua-5.3.1/src/lauxlib.c:698:10
    #7 0x7da479 in main /home/skomski/Code/lua_test/main_simple.cc:16:3
    #8 0x7ff567e9978f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #9 0x419968 in _start (/home/skomski/Code/lua_test/lua-clang-main+0x419968)

0x7ff410865880 is located 0 bytes to the right of 16003200-byte region [0x7ff40f922800,0x7ff410865880)
allocated by thread T0 here:
    #0 0x4afcd0 in realloc /home/skomski/Code/llvm-related/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
    #1 0x568a89 in l_alloc(void*, void*, unsigned long, unsigned long) /home/skomski/Code/lua_test/lua-5.3.1/src/lauxlib.c:944:12

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/skomski/Code/lua_test/lua-5.3.1/src/lparser.c:1628:3 in luaY_parser(lua_State*, Zio*, Mbuffer*, Dyndata*, char const*, int)
Shadow bytes around the buggy address:
  0x0fff02104ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff02104ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff02104ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff02104af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff02104b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff02104b10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff02104b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff02104b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff02104b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff02104b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fff02104b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
==32128==ABORTING
[1]    32128 exit 1     PERSIST_MAX=1010000 ./lua-clang-main
PERSIST_MAX=1010000 ./lua-clang-main  11.08s user 0.47s system 99% cpu 11.590 total


Kind regards,

Karl Skomski