[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Bug in the Lua 5.3 parser
- From: nobody <nobody+lua-list@...>
- Date: Tue, 21 Jun 2016 21:29:23 +0200
Hey all,
last week I found a bug in the Lua parser and sent it to Roberto. The
patch is online now.[1]
If you handle untrusted code (with luac, load()/loadfile()/..., by
running it in a stripped-down _ENV, etc.), you should probably patch
soon. Otherwise, it's not that important.
The following construction messes up the internal state:
for _ in _,_,_,_ do local function _() end
(It can be arbitrarily garnished with statements/blocks where permitted
by the grammar[2], all '_' can be replaced with arbitrary names /
expressions, the namelist and explist of the for statement can be
longer, and you can properly 'end' the for loop and add more code
afterwards.)
This can lead to all sorts of fun things happening, like
* segfaults
* overwriting of malloc metadata
* overwriting Lua data, which can lead to
+ weird output (while still terminating cleanly)
+ messing up internal structures, resulting in endless loops
etc.
This is somewhat mitigated by ASLR and Lua's use of a random seed for
string hashing. (The latter leads to different GC behaviors, which
quickly result in wildly different memory layouts.) Even with ASLR
disabled, any single file using this bug will still produce wildly
different results. Adding in differences between machines and
compilation runs, this should be rather hard to abuse purposefully.
(Still, if you handle untrusted code, please patch soon.)
Regards,
Marco
[1]: https://www.lua.org/bugs.html
[2]: https://www.lua.org/manual/5.3/manual.html#9
("The Complete Syntax of Lua")
