Re: heap-buffer-overflow in luaD

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: heap-buffer-overflow in luaD_pretailcall
From: Andrew Gierth <andrew@...>
Date: Wed, 08 Jul 2020 10:28:08 +0100

>>>>> "Rui" == Rui Zhong <reversezr33@gmail.com> writes:

 Rui> 0x6160000017e8 at pc 0x000000414661 bp 0x7ffd48797200 sp 0x7ffd487971f0
 Rui> WRITE of size 1 at 0x6160000017e8 thread T0
 Rui>     #0 0x414660 in luaD_pretailcall (/home/yongheng/lua_asan/lua+0x414660)

So this seems to be a rather fundamental issue in checkstackGC; it
ensures that there's stack space beyond L->top for the specified number
of entries, reallocating the stack if need be, but then it possibly
performs a garbage collection, and the garbage collector can and will
_immediately shrink the stack down again_. This can (and in this case
does) undo the stack growth that was just done, and so the
argument-completion loop in pretailcall stomps off the end of the stack.

Maybe something should have been assigning to ci->top before allowing
the GC to run, to protect the newly-allocated stack entries?

-- 
Andrew.

References:
- heap-buffer-overflow in luaD_pretailcall, Rui Zhong

Prev by Date: Re: Stack overflow in luaO_pushvfstring
Next by Date: Re: heap-buffer-overflow in getobjname
Previous by thread: Re: heap-buffer-overflow in luaD_pretailcall
Next by thread: Workshop 2020 (online)
Index(es):
- Date
- Thread