[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: patch for CVE-2020-15888
- From: Sam Trenholme <lua@...>
- Date: Wed, 28 Jul 2021 11:51:14 -0700
Aman> I'm getting a crash in running the following code (some modification of
Aman> http://lua-users.org/lists/lua-l/2020-07/msg00054.html) in Lua-5.2.2
Andrew> I think that's likely to be caused by a separate bug, specifically this
Andrew> one:
Andrew> https://www.lua.org/bugs.html#5.2.2-1
Sean> I was able to verify that version 5.2.2, as released, will crash with that
Sean> code (x86-32, Linux system, using "make generic" [1]), but that applying the
Sean> patch as listed (for 5.2.2-1) fixes the issue. I was unable to get
Sean> subsequent versions of Lua to crash.
To add to what others are saying, this bug is CVE-2014-5461, which has been fixed for a while, and which can be fixed in older Lua versions with this simple patch:
diff --git a/src/ldo.c b/src/ldo.c
index d1bf786..30333bf 100644
--- a/src/ldo.c
+++ b/src/ldo.c
@@ -274,7 +274,7 @@ int luaD_precall (lua_State *L, StkId func, int nresults) {
CallInfo *ci;
StkId st, base;
Proto *p = cl->p;
- luaD_checkstack(L, p->maxstacksize);
+ luaD_checkstack(L, p->maxstacksize + p->numparams);
func = restorestack(L, funcr);
if (!p->is_vararg) { /* no varargs? */
base = func + 1;
I do not believe the CVE-2020-15888 and CVE-2020-15945 apply to any version of Lua before 5.4, but it’s impossible to prove a negative, so any reproducible crashes like this which work against an older Lua with the CVE-2014-5461 patch applied will be needed before I believe these new 2020 CVEs affect Lua 5.1 or what not.
