Re: Heap use after free in luaD

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Heap use after free in luaD_call
From: Andrew Gierth <andrew@...>
Date: Wed, 15 Jul 2020 15:13:21 +0100

>>>>> "Yongheng" == Yongheng Chen <changochen1@gmail.com> writes:

 Yongheng> Hi,
 Yongheng> We found a heap use after free bug in lua.

So this one seems to be something corrupting the gray lists, if I
understand the logic correctly.

What's happening is that a value (in this case a C closure) is being
pushed on the stack and then immediately freed because the current
thread stack is not being marked (which ought to be happening in the
atomic() call, but a breakpoint on traversethread() was not hit). I
think this can only happen if the current thread is marked gray (it is)
but not actually linked into any gray list...

-- 
Andrew.

Follow-Ups:
- Re: Heap use after free in luaD_call, Andrew Gierth

References:
- Heap use after free in luaD_call, Yongheng Chen

Prev by Date: Re: [ANN] Lua 5.3.6 (rc1) now available
Next by Date: Re: Heap use after free in luaD_call
Previous by thread: Heap use after free in luaD_call
Next by thread: Re: Heap use after free in luaD_call
Index(es):
- Date
- Thread