[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: The security of function load (+ some remarks on fuzzing)
- From: nobody <nobody+lua-list@...>
- Date: Thu, 24 Sep 2020 13:40:04 +0200
On 23/09/2020 23.11, Rena wrote:
You can prevent loading binary chunks entirely, but in general you
must trust the code being loaded.
Specifically, you set the `mode` string to "t" instead of "bt".
Note that several variants of the load* functions just don't take the
mode argument and default it to NULL (effectively "bt"), which is fine
for manually written code (just avoid these variants and use the
explicit versions) but - depending on how you do it - may be
inconvenient for fuzzing or exhaustive path analysis etc.…
For that purpose, I suggest you hard-code "t" instead of `mode` in the
one call to `luaD_protectedparser` (in `lua_load` in `lapi.c`; and, to
fix the resulting warning, say `UNUSED(mode);` at the top of that function).
-----
Depending on how aggressive your fuzzer is and how well (or not at all?)
you are sandboxing runs, further unrelated stuff you may want to change is:
* changing `l_checkmode` (in `liolib.c` or `#define`-ing it yourself)
to only allow opening files for reading (never writing) - such that
opening randomly generated file names will never accidentally
overwrite anything
* removing `output` and `popen` from the `luaL_Reg iolib[]`
in liolib.c (and maybe `tmpfile` too if opening too many files
can cause spurious errors)
* removing `execute`, `remove`, `rename` (and again maybe `tmpname`)
from `luaL_Reg syslib[]` in `loslib.c`
(of course, that means you won't be testing these functions...)
And depending on how much path analysis / SAT solving you do
* simplifying `luaS_hash` in `lstring.c` from the original to
something stupid-simple like
switch (l) {
case 0: return 0;
case 1: return *((uint8_t*)str);
case 2:
case 3: return *((uint16_t*)str);
case 4:
case 5:
case 6:
case 7: return *((uint32_t*)str);
default: return *((unsigned int*)str);
}
Where the original can easily make path analysis give up and/or SAT
state grow insanely large, this one is effectively transparent.
-- nobody