Re: Stack overflow in lsys_load (lua/loadlib.c:134)

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Stack overflow in lsys_load (lua/loadlib.c:134)
From: Roberto Ierusalimschy <roberto@...>
Date: Mon, 14 Sep 2020 15:56:36 -0300

> I am not sure what that was supposed to demonstrate. Yes, it is not a
> pathname, which makes this subject to an implementation-defined limit,
> and all of Lua, Perl and Python let their users exceed the limit and
> crash the process.
> 
> Since this is currently not listed as a bug in Lua, this is apparently
> believed to be correct behavior. Why then was it a completely
> different story with io.popen?

1) The issue with io.open is a well documented restriction, while
the issue with loadlib seems to be a bug in libc/dlopen.

2) An invalid mode for popen seems like a realistic mistake; a name
with 10e7 characters to loadlib seems possible only with malice.

3) loadlib is inherently low-level and unsafe, so this issue is just one
more way to use that function to crash the program when malice is in the
equation:

  > package.loadlib("/lib/x86_64-linux-gnu/libc.so.6", "memcpy")()
  Segmentation fault (core dumped)

-- Roberto

Follow-Ups:
- Re: Stack overflow in lsys_load (lua/loadlib.c:134), Viacheslav Usov

References:
- Stack overflow in lsys_load (lua/loadlib.c:134), secwx weizhenvul
- Re: Stack overflow in lsys_load (lua/loadlib.c:134), Roberto Ierusalimschy
- Re: Stack overflow in lsys_load (lua/loadlib.c:134), Roberto Ierusalimschy
- Re: Stack overflow in lsys_load (lua/loadlib.c:134), Roberto Ierusalimschy
- Re: Stack overflow in lsys_load (lua/loadlib.c:134), Viacheslav Usov

Prev by Date: Re: Stack overflow in lsys_load (lua/loadlib.c:134)
Next by Date: Re: [ANN] GUI for clock module DS3231
Previous by thread: Re: Stack overflow in lsys_load (lua/loadlib.c:134)
Next by thread: Re: Stack overflow in lsys_load (lua/loadlib.c:134)
Index(es):
- Date
- Thread