lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


2016-01-05 23:06 GMT+02:00 Lorenzo Donati <lorenzodonatibz@tiscali.it>:
>
>
> On 05/01/2016 21:12, Dirk Laurie wrote:
>>
>> 2016-01-05 19:18 GMT+02:00 Lorenzo Donati <lorenzodonatibz@tiscali.it>:
>>>
>>>
>>>
>>> On 01/01/2016 15:30, Roberto Ierusalimschy wrote:
>>>>>>
>>>>>>
>>>>>> ```
>>>>>> local mt = {}
>>>>>> mt.__newindex = mt
>>>>>> local t = setmetatable({}, mt)
>>>>>> t[1] = 1
>>>>
>>>> The bug is quite subtle. Follows a fix:
>>
>>
>>> Although it is subtle, it seems easy to trigger in Lua code.
>>
>>
>> Do you have an example that does not involve making
>> __newindex be the metatable itself?
>>
>>
> No. Should I?
> I said "it seems", so I was asking for clarification.
>
> For "easy" I meant that triggering the crash doesn't need complicated
> instruction sequences or weird values fed to some esoteric function, but
> just operations a mildly experienced Lua programmer may legitimately try
> out.
>
> Using the metatable as target for newindex? Well, I cannot say if it is a
> widespread technique in some weird OO framework, or what could be useful for
> (too tired now), but it doesn't seem so weird that someone honestly couldn't
> find a legitimate use for it.
>
> I stand to be corrected, though; constant use of Lua made me reconsider a
> lot of my OO habits of my Java/C++ past, so I use a more basic OO approach
> now and tend to shun heavy OO contraptions. Therefore I'm a bit "rusted" on
> what are "legitimate/useful" metatable tricks.
>
> OTOH, please, keep in mind that we are not talking about a simple
> misbehavior of the Lua engine, but a straightaway crash, so a real
> showstopper and a potential security risk.
>
> Having the latest Lua source with such a bug in it is not something
> particularly good, IMHO. At least from a "marketing" POV.
>
> This is especially true for new users, with little experience with C and
> unable to apply the patch suggested by Roberto. And this is more important
> because the standard distro is source only, so a newbie cannot simply
> download a patched binary and be happy with it.

As usual with Lua bugs, the bug and its fix have been reported
on http://www.lua.org/bugs.html. The description of the bug is:

   Metatable may access its own deallocated field when
   it has a self reference in __newindex.

The question asked was:  Should this bug require a "fast-track"
emergency bug-fix release of 5.3.3?

Lorenzo has ably summarized the reasons why it should, most
of which would be applicable to any bug. About the only one that
is unusual is that the fault shows up as a segfault, not a stack
overflow or some other error that can be trapped at the Lua level.

There are also reasons why it would be unusual to put out an
emergency bug-fix release of a new minor version, most of which
would be applicable to any bug.

1. The bug might not manifest itself on all machines.
2. The fix may introduce a new bug.
3. The combination of 1 and 2 would imply that an existing
working Lua version on that machine has needlessy been
broken.

The Lua 5.3.1 bug "io.lines does not check maximum number
of options" also causes a segfault on my machine. The code
to trigger it is also nothing esoteric. Yet 5.3.2-rc1 was only released
four months later the bug was reported.

I don't think the self-referencing __newindex bug is any worse,
certainly not emergency material.

However, the word "patches" among the quick links on the Download
page
   http://www.lua.org/download.html
is perhaps a little cryptic. It would be helpful, in the situations that
Lorenzo has highlighted, to have a sentence explaining that bugs
(if any) reported after the release was frozen can be found there.