Re: Arbitrary memory reading with gmatch

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Arbitrary memory reading with gmatch_aux upvalue
From: Peter Cawley <lua@...>
Date: Thu, 14 Jul 2016 18:42:46 +0100

Using the debug library to manipulate the upvalues of C functions can
lead to undesirable behaviour. While it is good to have a zoo of such
cases, this example is far from the only animal in the zoo.

On Thu, Jul 14, 2016 at 6:38 PM, Kat Kioo <meepdarknessmeep@gmail.com> wrote:
> Lua 5.3.0  Copyright (C) 1994-2015 Lua.org, PUC-Rio
>> gmatch_aux = string.gmatch("abc", ".")
>> debug.getupvalue(gmatch_aux, 1)
>         abc
>> debug.getupvalue(gmatch_aux, 2)
>         .
>> debug.getupvalue(gmatch_aux, 3)
>         0
>> debug.setupvalue(gmatch_aux, 3, -100)
>
>> gmatch_aux()
>
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte())
> 0
>> print(gmatch_aux():byte(1,-1))
> 191
>> print(gmatch_aux():byte(1,-1))
> 62
>> print(gmatch_aux():byte(1,-1))
> 110
>
> Basically you can set gmatch_aux's 3rd upvalue to a negative number and it
> will read it even if it's not within the string.

Follow-Ups:
- Re: Arbitrary memory reading with gmatch_aux upvalue, Roberto Ierusalimschy

References:
- Arbitrary memory reading with gmatch_aux upvalue, Kat Kioo

Prev by Date: Arbitrary memory reading with gmatch_aux upvalue
Next by Date: Re: Request for 5.4: adding [] as table creation syntax for Lua 6.0
Previous by thread: Arbitrary memory reading with gmatch_aux upvalue
Next by thread: Re: Arbitrary memory reading with gmatch_aux upvalue
Index(es):
- Date
- Thread