[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Use-After-Free Vulnerability in Lua
- From: Roberto Ierusalimschy <roberto@...>
- Date: Fri, 8 Jun 2018 11:38:06 -0300
> I found a use-after-free vulnerability caused by the following input:
> ({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1
>
> I am not sure what the root cause of this problem is but when I
> execute this code in lua, which was compiled with ASAN, I get the
> following output:
>
> [...]
>>From the Lua manual:
The Debug Library
[...]
You should exert care when using this library. Several of its
functions violate basic assumptions about Lua code (e.g., that
variables local to a function cannot be accessed from outside;
that userdata metatables cannot be changed by Lua code; that Lua
programs do not crash) and therefore can compromise otherwise
secure code.
In your example, the call "debug.setlocal(1, 1 .. [[]], 'a')",
which can be simplified to "debug.setlocal(1, 1, 'a')", is changing
the table being constructed into a string. Because Lua itself created
that table, it does not check its type when adding the element inside
the constructor. The result is that Lua will handle the string 'a' as
if it was a table...
-- Roberto