Re: CVE-2019-6706: use-after-free in lua

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: CVE-2019-6706: use-after-free in lua_upvaluejoin function
From: Roberto Ierusalimschy <roberto@...>
Date: Fri, 25 Jan 2019 10:45:24 -0200

> do you think this could be a good reformulation of this thread? Any further
> comments?
> [...]
> --- a/src/lapi.c
> +++ b/src/lapi.c
> @@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
>  
>  LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
>                                              int fidx2, int n2) {
> -  LClosure *f1;
> -  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
> +  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
>    UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
> +  if (*up1 == *up2) return; /* Already joined */
> +  (*up2)->refcount++;
> +  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
> +  luaC_upvalbarrier(L, *up2);
>    luaC_upvdeccount(L, *up1);
>    *up1 = *up2;
> -  (*up1)->refcount++;
> -  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
> -  luaC_upvalbarrier(L, *up1);
>  }

I did not understand why simply adding the test 'if (*up1 == *up2) return'
isn't enough.

-- Roberto

References:
- CVE-2019-6706: use-after-free in lua_upvaluejoin function, Matěj Cepl

Prev by Date: Re: CVE-2019-6706: use-after-free in lua_upvaluejoin function
Next by Date: Re: [NoW] Luac crashes when trying to display undefined instruction
Previous by thread: Re: CVE-2019-6706: use-after-free in lua_upvaluejoin function
Next by thread: Re: Lua API changes between 5.1 and 5.3 for interfacing with .Net
Index(es):
- Date
- Thread