Use-After-Free Vulnerability in Lua

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Use-After-Free Vulnerability in Lua
From: Daniel Teuchert <Daniel.Teuchert@...>
Date: Fri, 08 Jun 2018 16:20:22 +0200

Hi all,
I found a use-after-free vulnerability caused by the following input:
({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1

I am not sure what the root cause of this problem is but when I executethis code in lua, which was compiled with ASAN, I get the followingoutput:

==26079==ERROR: AddressSanitizer: heap-use-after-free on address0x60400000d219 at pc 0x0000005170f9 bp 0x7fff3b0591d0 sp 0x7fff3b0591c8

READ of size 1 at 0x60400000d219 thread T0
    #0 0x5170f8  (/home/me/forksrv/instrument/lua/src/lua+0x5170f8)
    #1 0x5168a6  (/home/me/forksrv/instrument/lua/src/lua+0x5168a6)
    #2 0x53c549  (/home/me/forksrv/instrument/lua/src/lua+0x53c549)
    #3 0x4ece69  (/home/me/forksrv/instrument/lua/src/lua+0x4ece69)
    #4 0x7fca34cb782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x41b608  (/home/me/forksrv/instrument/lua/src/lua+0x41b608)

0x60400000d219 is located 9 bytes inside of 37-byte region[0x60400000d210,0x60400000d235)

freed by thread T0 here:
    #0 0x4bb5b0  (/home/me/forksrv/instrument/lua/src/lua+0x4bb5b0)
    #1 0x5667d7  (/home/me/forksrv/instrument/lua/src/lua+0x5667d7)
    #2 0x52055e  (/home/me/forksrv/instrument/lua/src/lua+0x52055e)
    #3 0x516f9c  (/home/me/forksrv/instrument/lua/src/lua+0x516f9c)
    #4 0x5168a6  (/home/me/forksrv/instrument/lua/src/lua+0x5168a6)
    #5 0x53c549  (/home/me/forksrv/instrument/lua/src/lua+0x53c549)
    #6 0x4ece69  (/home/me/forksrv/instrument/lua/src/lua+0x4ece69)
    #7 0x7fca34cb782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x4bbab8  (/home/me/forksrv/instrument/lua/src/lua+0x4bbab8)
    #1 0x5667b2  (/home/me/forksrv/instrument/lua/src/lua+0x5667b2)
    #2 0x52055e  (/home/me/forksrv/instrument/lua/src/lua+0x52055e)
    #3 0x515f9b  (/home/me/forksrv/instrument/lua/src/lua+0x515f9b)
    #4 0x53df93  (/home/me/forksrv/instrument/lua/src/lua+0x53df93)
    #5 0x53e751  (/home/me/forksrv/instrument/lua/src/lua+0x53e751)
    #6 0x4f737c  (/home/me/forksrv/instrument/lua/src/lua+0x4f737c)
    #7 0x58b59f  (/home/me/forksrv/instrument/lua/src/lua+0x58b59f)
    #8 0x50aba5  (/home/me/forksrv/instrument/lua/src/lua+0x50aba5)
    #9 0x5505a7  (/home/me/forksrv/instrument/lua/src/lua+0x5505a7)
    #10 0x50bbd4  (/home/me/forksrv/instrument/lua/src/lua+0x50bbd4)
    #11 0x507c16  (/home/me/forksrv/instrument/lua/src/lua+0x507c16)
    #12 0x50e251  (/home/me/forksrv/instrument/lua/src/lua+0x50e251)
    #13 0x4fe339  (/home/me/forksrv/instrument/lua/src/lua+0x4fe339)
    #14 0x4ee72b  (/home/me/forksrv/instrument/lua/src/lua+0x4ee72b)
    #15 0x50aba5  (/home/me/forksrv/instrument/lua/src/lua+0x50aba5)
    #16 0x50bbaa  (/home/me/forksrv/instrument/lua/src/lua+0x50bbaa)
    #17 0x507c16  (/home/me/forksrv/instrument/lua/src/lua+0x507c16)
    #18 0x50e251  (/home/me/forksrv/instrument/lua/src/lua+0x50e251)
    #19 0x4fe339  (/home/me/forksrv/instrument/lua/src/lua+0x4fe339)
    #20 0x4ecd00  (/home/me/forksrv/instrument/lua/src/lua+0x4ecd00)
    #21 0x7fca34cb782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free(/home/prakti/forksrv/instrument/lua/src/lua+0x5170f8)

Shadow bytes around the buggy address:
  0x0c087fff99f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9a00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9a10: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9a20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9a30: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
=>0x0c087fff9a40: fa fa fd[fd]fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff9a50: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9a60: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff9a70: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff9a80: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff9a90: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26079==ABORTING

And sometimes:

ASAN:DEADLYSIGNAL
=================================================================

==14515==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000(pc 0x7f2bf0ec5b1a bp 0x7fff7b895af0 sp 0x7fff7b895288 T0)

    #0 0x7f2bf0ec5b19  (/lib/x86_64-linux-gnu/libc.so.6+0x14db19)
    #1 0x4a5054  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4a5054)
    #2 0x525fd6  (/home/me/latest_lua/lua-5.3.4/src/lua+0x525fd6)
    #3 0x530fbb  (/home/me/latest_lua/lua-5.3.4/src/lua+0x530fbb)
    #4 0x50061f  (/home/me/latest_lua/lua-5.3.4/src/lua+0x50061f)
    #5 0x4fdd60  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4fdd60)
    #6 0x50218d  (/home/me/latest_lua/lua-5.3.4/src/lua+0x50218d)
    #7 0x4f74fa  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4f74fa)
    #8 0x4ee32a  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ee32a)
    #9 0x4ed52b  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ed52b)
    #10 0x4ffb7f  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ffb7f)
    #11 0x500613  (/home/me/latest_lua/lua-5.3.4/src/lua+0x500613)
    #12 0x4fdd60  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4fdd60)
    #13 0x50218d  (/home/me/latest_lua/lua-5.3.4/src/lua+0x50218d)
    #14 0x4f74fa  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4f74fa)
    #15 0x4ec8f3  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ec8f3)
    #16 0x7f2bf0d9882f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x41b238  (/home/me/latest_lua/lua-5.3.4/src/lua+0x41b238)

AddressSanitizer can not provide additional info.

SUMMARY: AddressSanitizer: SEGV(/lib/x86_64-linux-gnu/libc.so.6+0x14db19)

==14515==ABORTING

Note that lua also crashes if it is not compled with ASAN.

Steps to reproduce:
curl -R -O http://www.lua.org/ftp/lua-5.3.4.tar.gz
tar zxf lua-5.3.4.tar.gz
cd lua-5.3.4

edit Makefile in "src" folder and set CC= clang -fsanitize=address-fno-omit-frame-pointer

make linux
echo "({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1">lua_crash
Execute src/lua /path/to/lua_crash

Cheers,
Daniel

Follow-Ups:
- Re: Use-After-Free Vulnerability in Lua, Javier Guerra Giraldez
- Re: Use-After-Free Vulnerability in Lua, Roberto Ierusalimschy

Prev by Date: Re: Size optimizations for Lua 5.3 VM on ARM Cortex M4
Next by Date: Re: Use-After-Free Vulnerability in Lua
Previous by thread: Re: Size optimizations for Lua 5.3 VM on ARM Cortex M4
Next by thread: Re: Use-After-Free Vulnerability in Lua
Index(es):
- Date
- Thread