[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Some thoughts on security
- From: Daurnimator <quae@...>
- Date: Mon, 12 Dec 2016 10:56:09 +1100
On 12 December 2016 at 10:21, Samuel Groß <mail@samuel-gross.com> wrote:
> I was playing around with Lua a bit lately and noticed that it supported
> loading precompiled bytecode at runtime through `load` [1], which caught my
> attention. Looking at the source code, it seemed like no validation was
> performed on the input (actually, I could have just read the documentation
> for `load` it seems :P). I was able to confirm this with a quick run of the
> afl fuzzer [2], which found hundreds of crashes within a few minutes. After
> some digging around I found some previous threads ([3], [4]), suggesting
> that this was a fairly well known issue.
See http://lua-users.org/lists/lua-l/2009-03/msg00039.html
tl;dr: Lua *did* have a bytecode verifier, but it had issues and there
was too much required to make it 'perfect'.
So rather than pay the code slowdown on load and the maintenance
burden, it was decided to remove the bytecode verifier entirely.
