Re: The security of function load (+ some remarks on fuzzing)

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: The security of function load (+ some remarks on fuzzing)
From: nobody <nobody+lua-list@...>
Date: Thu, 24 Sep 2020 13:40:04 +0200

On 23/09/2020 23.11, Rena wrote:

You can prevent loading binary chunks entirely, but in general youmust trust the code being loaded.


Specifically, you set the `mode` string to "t" instead of "bt".

Note that several variants of the load* functions just don't take the
mode argument and default it to NULL (effectively "bt"), which is fine
for manually written code (just avoid these variants and use the
explicit versions) but - depending on how you do it - may be
inconvenient for fuzzing or exhaustive path analysis etc.…

For that purpose, I suggest you hard-code "t" instead of `mode` in the
one call to `luaD_protectedparser` (in `lua_load` in `lapi.c`; and, to
fix the resulting warning, say `UNUSED(mode);` at the top of that function).

-----

Depending on how aggressive your fuzzer is and how well (or not at all?)
you are sandboxing runs, further unrelated stuff you may want to change is:

 *  changing `l_checkmode` (in `liolib.c` or `#define`-ing it yourself)
    to only allow opening files for reading (never writing) - such that
    opening randomly generated file names will never accidentally
    overwrite anything
 *  removing `output` and `popen` from the `luaL_Reg iolib[]`
    in liolib.c (and maybe `tmpfile` too if opening too many files
    can cause spurious errors)
 *  removing `execute`, `remove`, `rename` (and again maybe `tmpname`)
    from `luaL_Reg syslib[]` in `loslib.c`

(of course, that means you won't be testing these functions...)

And depending on how much path analysis / SAT solving you do

 *  simplifying `luaS_hash` in `lstring.c` from the original to
    something stupid-simple like

      switch (l) {
        case 0: return 0;
        case 1: return *((uint8_t*)str);
        case 2:
        case 3: return *((uint16_t*)str);
        case 4:
        case 5:
        case 6:
        case 7: return *((uint32_t*)str);
        default: return *((unsigned int*)str);
      }

    Where the original can easily make path analysis give up and/or SAT
    state grow insanely large, this one is effectively transparent.

-- nobody

References:
- The security of function load, Yongheng Chen
- Re: The security of function load, Rena

Prev by Date: Re: What does "slot" mean for Lua?
Next by Date: Re: What does "slot" mean for Lua?
Previous by thread: Re: The security of function load
Next by thread: What does "slot" mean for Lua?
Index(es):
- Date
- Thread