Hi Andrew,
Thanks for the reply.
I'm getting a crash in running the following code (some modification of
http://lua-users.org/lists/lua-l/2020-07/msg00054.html) in Lua-5.2.2
Code
function errfunc(p16, p17, p18, p19, p20, p21, p22, p23, p24, p25, p26, p27,
p28, p29, p30, p31, p32, p33, p34, p35, p36, p37, p38, p39,
p40, p41, p42, p43, p44, p45, p46, p48, p49, p50, p51, p52, p53, p54, p55, p56, p57, p58, p59, p60, ...) a9
'fail'
end
coroutine.wrap(function() xpcall(test,
function() do setmetatable({},
{ __gc = function() if k < 2 then end end })
end
end
)
xpcall(test, errfunc) end)()
=================================================================
==96469==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000001760 at pc 0x0000004a98f8 bp 0x7fffffffcc70 sp 0x7fffffffcc68
WRITE of size 8 at 0x61a000001760 thread T0
#0 0x4a98f7 in luaD_precall (/lua-5.2.2/src/lua+0x4a98f7)
#1 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
#2 0x4a6e8c in luaG_errormsg (/lua-5.2.2/src/lua+0x4a6e8c)
#3 0x4a6a0d in luaG_runerror (/lua-5.2.2/src/lua+0x4a6a0d)
#4 0x4a5fae in luaG_typeerror (/lua-5.2.2/src/lua+0x4a5fae)
#5 0x4a9d5c in luaD_precall (/lua-5.2.2/src/lua+0x4a9d5c)
#6 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
#7 0x4a0a1c in lua_pcallk (/lua-5.2.2/src/lua+0x4a0a1c)
#8 0x5003f6 in luaB_xpcall (/lua-5.2.2/src/lua+0x5003f6)
#9 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
#10 0x4e0fff in luaV_execute (/lua-5.2.2/src/lua+0x4e0fff)
#11 0x4aba13 in unroll (/lua-5.2.2/src/lua+0x4aba13)
#12 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
#13 0x4aa8f4 in lua_resume (/lua-5.2.2/src/lua+0x4aa8f4)
#14 0x5010f4 in auxresume (/lua-5.2.2/src/lua+0x5010f4)
#15 0x5011ab in luaB_auxwrap (/lua-5.2.2/src/lua+0x5011ab)
#16 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
#17 0x4e0fff in luaV_execute (/lua-5.2.2/src/lua+0x4e0fff)
#18 0x4aa1cc in luaD_call (/lua-5.2.2/src/lua+0x4aa1cc)
#19 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
#20 0x4abf87 in luaD_pcall (/lua-5.2.2/src/lua+0x4abf87)
#21 0x4a0845 in lua_pcallk (/lua-5.2.2/src/lua+0x4a0845)
#22 0x494c28 in pmain (/lua-5.2.2/src/lua+0x494c28)
#23 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
#24 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
#25 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
#26 0x4abf87 in luaD_pcall (/lua-5.2.2/src/lua+0x4abf87)
#27 0x4a0845 in lua_pcallk (/lua-5.2.2/src/lua+0x4a0845)
#28 0x493a93 in main (/lua-5.2.2/src/lua+0x493a93)
0x61a000001760 is located 0 bytes to the right of 1248-byte region [0x61a000001280,0x61a000001760)
allocated by thread T0 here:
#0 0x47a929 in realloc (/lua-5.2.2/src/lua+0x47a929)
#1 0x4ba4ec in luaM_realloc_ (/lua-5.2.2/src/lua+0x4ba4ec)
#2 0x4a7892 in luaD_reallocstack (/lua-5.2.2/src/lua+0x4a7892)
#3 0x4a8c11 in luaD_precall (/lua-5.2.2/src/lua+0x4a8c11)
#4 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
#5 0x4a6e8c in luaG_errormsg (/lua-5.2.2/src/lua+0x4a6e8c)
#6 0x4a6a0d in luaG_runerror (/lua-5.2.2/src/lua+0x4a6a0d)
#7 0x4a5fae in luaG_typeerror (/lua-5.2.2/src/lua+0x4a5fae)
#8 0x4a9d5c in luaD_precall (/lua-5.2.2/src/lua+0x4a9d5c)
#9 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
#10 0x4a0a1c in lua_pcallk (/lua-5.2.2/src/lua+0x4a0a1c)
#11 0x5003f6 in luaB_xpcall (/lua-5.2.2/src/lua+0x5003f6)
#12 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
#13 0x4e0fff in luaV_execute (/lua-5.2.2/src/lua+0x4e0fff)
#14 0x4aba13 in unroll (/lua-5.2.2/src/lua+0x4aba13)
#15 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
#16 0x4aa8f4 in lua_resume (/lua-5.2.2/src/lua+0x4aa8f4)
#17 0x5010f4 in auxresume (/lua-5.2.2/src/lua+0x5010f4)
#18 0x5011ab in luaB_auxwrap (/lua-5.2.2/src/lua+0x5011ab)
#19 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
#20 0x4e0fff in luaV_execute (/lua-5.2.2/src/lua+0x4e0fff)
#21 0x4aa1cc in luaD_call (/lua-5.2.2/src/lua+0x4aa1cc)
#22 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
#23 0x4abf87 in luaD_pcall (/lua-5.2.2/src/lua+0x4abf87)
#24 0x4a0845 in lua_pcallk (/lua-5.2.2/src/lua+0x4a0845)
#25 0x494c28 in pmain (/lua-5.2.2/src/lua+0x494c28)
#26 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
#27 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
#28 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
#29 0x4abf87 in luaD_pcall (/lua-5.2.2/src/lua+0x4abf87)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lua-5.2.2/src/lua+0x4a98f7) in luaD_precall
Shadow bytes around the buggy address:
0x4c3400000290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4c34000002a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4c34000002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4c34000002c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4c34000002d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x4c34000002e0: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
0x4c34000002f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x4c3400000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x4c3400000310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x4c3400000320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x4c3400000330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==96469==ABORTING
Yes, Upgrading is an option, but then I might have to my modify my code based on new version, so I'm thinking if we can apply the patch only, then that would be easy.
