[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Potential use-after-free in Lua 5.2.4
- From: xavier.decoret@...
- Date: Tue, 26 May 2020 05:47:17 -0000
I had seen that bug, and it seems very close, but the report said it didn't have easy repro. I have a 100% repro as follows:
$ wget https://www.lua.org/ftp/lua-5.2.4.tar.gz
$ tar zxf lua-5.2.4.tar.gz
$ cd lua-5.2.4
$ cat > bug.c <<EOF
#include "lua.h"
#include "lauxlib.h"
int main() {
#define LONG_VAR_NAME "____x____1____x____2____x____3____x____4_"
lua_State* L = luaL_newstate();
lua_gc(L, LUA_GCSETPAUSE, 0);
luaL_loadstring(L, "function f() end " LONG_VAR_NAME);
lua_close(L);
return 0;
}
EOF
Then modify src/Makefile with the diff below, that is:
* to use clang with sanitizer flag for compilation
* to add a "bug" target by mimicking the LUAC one
$ make linux
$ ./src/bug
et voilà.
diff -r lua-5.2.4 lua-5.2.4-mod
Only in lua-5.2.4-mod/src: bug.c
diff -r lua-5.2.4/src/Makefile lua-5.2.4-mod/src/Makefile
9,10c9,10
< CC= gcc
< CFLAGS= -O2 -Wall -DLUA_COMPAT_ALL $(SYSCFLAGS) $(MYCFLAGS)
---
> CC= clang -fsanitize=address -fno-omit-frame-pointer -g
> CFLAGS= -O1 -Wall -DLUA_COMPAT_ALL $(SYSCFLAGS) $(MYCFLAGS)
45,46c45,49
< ALL_O= $(BASE_O) $(LUA_O) $(LUAC_O)
< ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T)
---
> BUG_T= bug
> BUG_O= bug.o
>
> ALL_O= $(BASE_O) $(LUA_O) $(LUAC_O) $(BUG_O)
> ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) $(BUG_T)
67a71,73
> $(BUG_T): $(BUG_O) $(LUA_A)
> $(CC) -o $@ $(LDFLAGS) $(BUG_O) $(LUA_A) $(LIBS)
>
179a186,187
> ltm.h lzio.h lmem.h lundump.h ldebug.h lopcodes.h
> bug.o: bug.c lua.h luaconf.h lauxlib.h lobject.h llimits.h lstate.h \
