Re: Stack overflow in luaO

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Stack overflow in luaO_pushvfstring
From: Stefan <ste@...>
Date: Tue, 7 Jul 2020 03:07:19 +0200

> The original POC that can crash a default build lua ( just run make on
> Linux) is:
> 
> function errfunc() end function test()
> 
>     xpcall(test, coroutine.wrap(function() print(xpcall(test, errfunc))
> end))
> 
>         end coroutine.wrap(function() print(xpcall(test, errfunc)) end)()
> 
>  
> 
> With the following poc, lua crashed with an invalid stack address.
> 

Can confirm - this bit crashes the standard build with

gcc -std=gnu99 -O2 -Wall -Wextra -DLUA_COMPAT_5_3 -DLUA_USE_LINUX

on my Linux with ulimit -s below 11264.

Linux db 5.7.0-1-amd64 #1 SMP Debian 5.7.6-1 (2020-06-24) x86_64
gcc (Debian 9.3.0-14) 9.3.0

(same for armhf-cross/quemu)

On Windows 64-bit values below 21MB crash:

cl /nologo /EHsc /O2 lua.c lapi.c lctype.c lfunc.c lmathlib.c loslib.c
ltable.c lundump.c lauxlib.c ldblib.c lgc.c lmem.c lparser.c ltablib.c
lutf8lib.c lbaselib.c ldebug.c linit.c loadlib.c lstate.c ltm.c lvm.c
lcode.c ldo.c liolib.c lobject.c lstring.c lzio.c lcorolib.c ldump.c
llex.c lopcodes.c lstrlib.c /link /STACK:22020096 (21MB)

debug.setcstacklimit(1970) prevents a crash on /STACK:20971520 (20MB)

debug.setcstacklimit(1395) prevents a crash on /STACK:10485760 (10MB)

References:
- Stack overflow in luaO_pushvfstring, Yongheng Chen
- Re: Stack overflow in luaO_pushvfstring, Roberto Ierusalimschy
- RE: Stack overflow in luaO_pushvfstring, Yongheng Chen
- Re: Stack overflow in luaO_pushvfstring, Roberto Ierusalimschy
- RE: Stack overflow in luaO_pushvfstring, Yongheng Chen

Prev by Date: Re: Stack overflow in luaO_pushvfstring
Next by Date: Re: Stack overflow in luaO_pushvfstring
Previous by thread: Re: Stack overflow in luaO_pushvfstring
Next by thread: Re: Stack overflow in luaO_pushvfstring
Index(es):
- Date
- Thread