lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Aman> I'm getting a crash in running the following code (some modification of
Aman> in Lua-5.2.2

Andrew> I think that's likely to be caused by a separate bug, specifically this
Andrew> one:


Sean>  I was able to verify that version 5.2.2, as released, will crash with that
Sean> code (x86-32, Linux system, using "make generic" [1]), but that applying the
Sean> patch as listed (for 5.2.2-1) fixes the issue.  I was unable to get
Sean> subsequent versions of Lua to crash.

To add to what others are saying, this bug is CVE-2014-5461, which has been fixed for a while, and which can be fixed in older Lua versions with this simple patch:

diff --git a/src/ldo.c b/src/ldo.c
index d1bf786..30333bf 100644
--- a/src/ldo.c
+++ b/src/ldo.c
@@ -274,7 +274,7 @@ int luaD_precall (lua_State *L, StkId func, int nresults) {
     CallInfo *ci;
     StkId st, base;
     Proto *p = cl->p;
-    luaD_checkstack(L, p->maxstacksize);
+    luaD_checkstack(L, p->maxstacksize + p->numparams);
     func = restorestack(L, funcr);
     if (!p->is_vararg) {  /* no varargs? */
       base = func + 1;

I do not believe the CVE-2020-15888 and CVE-2020-15945 apply to any version of Lua before 5.4, but it’s impossible to prove a negative, so any reproducible crashes like this which work against an older Lua with the CVE-2014-5461 patch applied will be needed before I believe these new 2020 CVEs affect Lua 5.1 or what not.