lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Sorry about the formatting problems with the previous email. I just figured out how to configure Thunderbird to compose emails in a form mailing lists like this using the classic email format (80 column fix width font).

Aman> I'm getting a crash in running the following code (some Aman> modification of > Aman> in
Aman> Lua-5.2.2

Andrew> I think that's likely to be caused by a separate bug, Andrew> specifically this one:


Sean> I was able to verify that version 5.2.2, as released, will Sean> crash with that code (x86-32, Linux system, using "make generic" > Sean> [1]), but that applying the patch as listed (for 5.2.2-1) fixes
Sean> the issue. I was unable to get subsequent versions of Lua to  > Sean> crash.

To add to what others are saying, this bug is CVE-2014-5461, which has
been fixed for a while, and which can be fixed in older Lua versions
with this simple patch:

diff --git a/src/ldo.c b/src/ldo.c
index d1bf786..30333bf 100644
--- a/src/ldo.c
+++ b/src/ldo.c
@@ -274,7 +274,7 @@ int luaD_precall()
     CallInfo *ci;
     StkId st, base;
     Proto *p = cl->p;
-    luaD_checkstack(L, p->maxstacksize);
+    luaD_checkstack(L, p->maxstacksize + p->numparams);
     func = restorestack(L, funcr);
     if (!p->is_vararg) {  /* no varargs? */
       base = func + 1;

I do not believe the CVE-2020-15888 and CVE-2020-15945 apply to any
version of Lua before 5.4, but it’s impossible to prove a negative, so
any reproducible crashes like this which work against an older Lua with
the CVE-2014-5461 patch applied will be needed before I believe these
new 2020 CVEs affect Lua 5.1 or what not.

-- Sam