Re: heap-buffer-overflow in getobjname

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: heap-buffer-overflow in getobjname
From: Dibyendu Majumdar <mobile@...>
Date: Wed, 8 Jul 2020 15:23:37 +0100

On Wed, 8 Jul 2020 at 10:58, Andrew Gierth <andrew@tao11.riddles.org.uk> wrote:
>
> >>>>> "Rui" == Rui Zhong <reversezr33@gmail.com> writes:
>
>  Rui> READ of size 4 at 0x60200000014c thread T0
>  Rui>     #0 0x40e7ca in getobjname (/home/yongheng/lua_asan/lua+0x40e7ca)
>  Rui>     #1 0x40ec98 in varinfo (/home/yongheng/lua_asan/lua+0x40ec98)
>  Rui>     #2 0x411575 in luaG_typeerror (/home/yongheng/lua_asan/lua+0x411575)
>  Rui>     #3 0x4138bc in luaD_tryfuncTM (/home/yongheng/lua_asan/lua+0x4138bc)
>
> So the problem here seems to be that the current CallInfo is that of
> some Lua function, and where the garbage collector was run before any
> savepc() operation (to be precise, from an OP_NEWTABLE opcode). The GC
> then tried to call the __gc metamethod of an object, got the "coroutine"
> table rather than a function, tried to get a __call metamethod from
> that, got nil, and tried to throw an error. Because varinfo thinks that
> it was a Lua function that caused the error, it tries to look at the
> bytecode to see where the value came from, and reads from before the
> start of the bytecode because savedpc still points to the first opcode
> (it tries to read the opcode at savedpc-1).
>

Hey Andrew, your debugging skills are amazing!

Regards

References:
- heap-buffer-overflow in getobjname, Rui Zhong
- Re: heap-buffer-overflow in getobjname, Andrew Gierth

Prev by Date: Re: Workshop 2020 (online)
Next by Date: current status about last bugs
Previous by thread: Re: heap-buffer-overflow in getobjname
Next by thread: heap-buffer-overflow in luaD_pretailcall
Index(es):
- Date
- Thread