Re: Use-After-Free Vulnerability in Lua

On 8 June 2018 at 15:20, Daniel Teuchert <Daniel.Teuchert@ruhr-uni-bochum.de> wrote:

Hi all,
I found a use-after-free vulnerability caused by the following input:
({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1

can confirm the crash:

> $ lua5.3 -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"

> lua5.3: error in error handling

> Segmentation fault (core dumped)

same happens on 5.2:

> $ lua5.2 -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"

> Segmentation fault (core dumped)

and on LuaJIT:

> $ luajit -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"

> Segmentation fault (core dumped)

but not on 5.1:

> $ lua5.1 -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"

> lua5.1: (command line):1: attempt to index a string value

> stack traceback:

> (command line):1: in main chunk

> [C]: ?

Javier