lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Interesting, you've just increased the number of fixed parameters by adding 10 positional parameters before the varying parameter.

So the bug is related to some compile-time constants for internal limits.

It's possible that some limit was changed (reduced?) in Lua 5.4.4 compared to 5.2.2 but then if there's such compile-time constant, we should investigate which one it is so that the bug can be reproduced more easily (in specific debug builds where this limit could be forced and lowered) and investigated more deeply in other Lua versions.

The limits may also be platform-dependant (32-bit or 64-bit. Are there 16-bit ports of Lua for use on small dedicated devices or in MSDOS-like systems without a multitasking kernel?)

May be there's no need to upgrade Lua, just include a boundary check which may still be missing (and that could be backported to older versions using patches that are simply to apply and possibly providing new recompiled binaries.

The effect of the boundary check (when it is violated is not necessarily simple, as the error to report must still be safe and the code to support it may be missing (if there were only assumptions that such boundary could not be violated).



Le mer. 28 juil. 2021 à 08:04, aman agrawal <aman.161089@gmail.com> a écrit :
Hi Andrew,

Thanks for the reply.

I'm getting a crash in running the following code (some modification of http://lua-users.org/lists/lua-l/2020-07/msg00054.html) in Lua-5.2.2

Code

        function errfunc(p16, p17, p18, p19, p20, p21, p22, p23, p24, p25, p26, p27,

                p28, p29, p30, p31, p32, p33, p34, p35, p36, p37, p38, p39,

                p40, p41, p42, p43, p44, p45, p46, p48, p49, p50, p51, p52, p53, p54, p55, p56, p57, p58, p59, p60, ...) a9

                'fail'
        end
        coroutine.wrap(function() xpcall(test,

                function() do setmetatable({},

                        { __gc = function() if k < 2 then end end })

                end
        end
        )
        xpcall(test, errfunc) end)()


=================================================================
==96469==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000001760 at pc 0x0000004a98f8 bp 0x7fffffffcc70 sp 0x7fffffffcc68
WRITE of size 8 at 0x61a000001760 thread T0
    #0 0x4a98f7 in luaD_precall (/lua-5.2.2/src/lua+0x4a98f7)
    #1 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
    #2 0x4a6e8c in luaG_errormsg (/lua-5.2.2/src/lua+0x4a6e8c)
    #3 0x4a6a0d in luaG_runerror (/lua-5.2.2/src/lua+0x4a6a0d)
    #4 0x4a5fae in luaG_typeerror (/lua-5.2.2/src/lua+0x4a5fae)
    #5 0x4a9d5c in luaD_precall (/lua-5.2.2/src/lua+0x4a9d5c)
    #6 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
    #7 0x4a0a1c in lua_pcallk (/lua-5.2.2/src/lua+0x4a0a1c)
    #8 0x5003f6 in luaB_xpcall (/lua-5.2.2/src/lua+0x5003f6)
    #9 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
    #10 0x4e0fff in luaV_execute (/lua-5.2.2/src/lua+0x4e0fff)
    #11 0x4aba13 in unroll (/lua-5.2.2/src/lua+0x4aba13)
    #12 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
    #13 0x4aa8f4 in lua_resume (/lua-5.2.2/src/lua+0x4aa8f4)
    #14 0x5010f4 in auxresume (/lua-5.2.2/src/lua+0x5010f4)
    #15 0x5011ab in luaB_auxwrap (/lua-5.2.2/src/lua+0x5011ab)
    #16 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
    #17 0x4e0fff in luaV_execute (/lua-5.2.2/src/lua+0x4e0fff)
    #18 0x4aa1cc in luaD_call (/lua-5.2.2/src/lua+0x4aa1cc)
    #19 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
    #20 0x4abf87 in luaD_pcall (/lua-5.2.2/src/lua+0x4abf87)
    #21 0x4a0845 in lua_pcallk (/lua-5.2.2/src/lua+0x4a0845)
    #22 0x494c28 in pmain (/lua-5.2.2/src/lua+0x494c28)
    #23 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
    #24 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
    #25 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
    #26 0x4abf87 in luaD_pcall (/lua-5.2.2/src/lua+0x4abf87)
    #27 0x4a0845 in lua_pcallk (/lua-5.2.2/src/lua+0x4a0845)
    #28 0x493a93 in main (/lua-5.2.2/src/lua+0x493a93)

0x61a000001760 is located 0 bytes to the right of 1248-byte region [0x61a000001280,0x61a000001760)
allocated by thread T0 here:
    #0 0x47a929 in realloc (/lua-5.2.2/src/lua+0x47a929)
    #1 0x4ba4ec in luaM_realloc_ (/lua-5.2.2/src/lua+0x4ba4ec)
    #2 0x4a7892 in luaD_reallocstack (/lua-5.2.2/src/lua+0x4a7892)
    #3 0x4a8c11 in luaD_precall (/lua-5.2.2/src/lua+0x4a8c11)
    #4 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
    #5 0x4a6e8c in luaG_errormsg (/lua-5.2.2/src/lua+0x4a6e8c)
    #6 0x4a6a0d in luaG_runerror (/lua-5.2.2/src/lua+0x4a6a0d)
    #7 0x4a5fae in luaG_typeerror (/lua-5.2.2/src/lua+0x4a5fae)
    #8 0x4a9d5c in luaD_precall (/lua-5.2.2/src/lua+0x4a9d5c)
    #9 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
    #10 0x4a0a1c in lua_pcallk (/lua-5.2.2/src/lua+0x4a0a1c)
    #11 0x5003f6 in luaB_xpcall (/lua-5.2.2/src/lua+0x5003f6)
    #12 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
    #13 0x4e0fff in luaV_execute (/lua-5.2.2/src/lua+0x4e0fff)
    #14 0x4aba13 in unroll (/lua-5.2.2/src/lua+0x4aba13)
    #15 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
    #16 0x4aa8f4 in lua_resume (/lua-5.2.2/src/lua+0x4aa8f4)
    #17 0x5010f4 in auxresume (/lua-5.2.2/src/lua+0x5010f4)
    #18 0x5011ab in luaB_auxwrap (/lua-5.2.2/src/lua+0x5011ab)
    #19 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
    #20 0x4e0fff in luaV_execute (/lua-5.2.2/src/lua+0x4e0fff)
    #21 0x4aa1cc in luaD_call (/lua-5.2.2/src/lua+0x4aa1cc)
    #22 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
    #23 0x4abf87 in luaD_pcall (/lua-5.2.2/src/lua+0x4abf87)
    #24 0x4a0845 in lua_pcallk (/lua-5.2.2/src/lua+0x4a0845)
    #25 0x494c28 in pmain (/lua-5.2.2/src/lua+0x494c28)
    #26 0x4a8f96 in luaD_precall (/lua-5.2.2/src/lua+0x4a8f96)
    #27 0x4aa1b9 in luaD_call (/lua-5.2.2/src/lua+0x4aa1b9)
    #28 0x4a76bb in luaD_rawrunprotected (/lua-5.2.2/src/lua+0x4a76bb)
    #29 0x4abf87 in luaD_pcall (/lua-5.2.2/src/lua+0x4abf87)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lua-5.2.2/src/lua+0x4a98f7) in luaD_precall
Shadow bytes around the buggy address:
  0x4c3400000290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c34000002a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c34000002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c34000002c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c34000002d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x4c34000002e0: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x4c34000002f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c3400000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c3400000310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c3400000320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c3400000330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==96469==ABORTING

Yes, Upgrading is an option, but then I might have to my modify my code based on new version, so I'm thinking if we can apply the patch only, then that would be easy.

On Wed, Jul 28, 2021 at 3:33 AM Andrew Gierth <andrew@tao11.riddles.org.uk> wrote:
>>>>> "aman" == aman agrawal <aman.161089@gmail.com> writes:

 aman> Hi,
 aman> Can you please tell me what are the changes required if we want
 aman> to apply the patch for CVE-2020-15888 in Lua-5.2.2

That CVE is a mess; it links to a bunch of unrelated bugs and commits
and has incorrect version information and a useless description.

As far as I can see, nothing in it is applicable to any version other
than 5.4.0 exactly. So the answer to your question is "nothing".

(That said, 5.2.2 clearly has numerous other bugs, some of them serious;
why are you using it?)

--
Andrew.


--
Best Regards
Aman Agrawal