[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Stack overflow in lsys_load (lua/loadlib.c:134)
- From: Roberto Ierusalimschy <roberto@...>
- Date: Mon, 14 Sep 2020 15:56:36 -0300
> I am not sure what that was supposed to demonstrate. Yes, it is not a
> pathname, which makes this subject to an implementation-defined limit,
> and all of Lua, Perl and Python let their users exceed the limit and
> crash the process.
>
> Since this is currently not listed as a bug in Lua, this is apparently
> believed to be correct behavior. Why then was it a completely
> different story with io.popen?
1) The issue with io.open is a well documented restriction, while
the issue with loadlib seems to be a bug in libc/dlopen.
2) An invalid mode for popen seems like a realistic mistake; a name
with 10e7 characters to loadlib seems possible only with malice.
3) loadlib is inherently low-level and unsafe, so this issue is just one
more way to use that function to crash the program when malice is in the
equation:
> package.loadlib("/lib/x86_64-linux-gnu/libc.so.6", "memcpy")()
Segmentation fault (core dumped)
-- Roberto