[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: patch for CVE-2020-15888
- From: Sam Trenholme <lua@...>
- Date: Thu, 29 Jul 2021 02:56:14 -0700
Sorry about the formatting problems with the previous email. I just
figured out how to configure Thunderbird to compose emails in a form
mailing lists like this using the classic email format (80 column fix
width font).
Aman> I'm getting a crash in running the following code (some
Aman> modification of > Aman> http://lua-users.org/lists/lua-l/2020-07/msg00054.html) in
Aman> Lua-5.2.2
Andrew> I think that's likely to be caused by a separate bug,
Andrew> specifically this one:
Andrew> https://www.lua.org/bugs.html#5.2.2-1
Sean> I was able to verify that version 5.2.2, as released, will
Sean> crash with that code (x86-32, Linux system, using "make generic" > Sean> [1]), but that applying the patch as listed (for 5.2.2-1) fixes
Sean> the issue. I was unable to get subsequent versions of Lua to > Sean> crash.
To add to what others are saying, this bug is CVE-2014-5461, which has
been fixed for a while, and which can be fixed in older Lua versions
with this simple patch:
diff --git a/src/ldo.c b/src/ldo.c
index d1bf786..30333bf 100644
--- a/src/ldo.c
+++ b/src/ldo.c
@@ -274,7 +274,7 @@ int luaD_precall()
CallInfo *ci;
StkId st, base;
Proto *p = cl->p;
- luaD_checkstack(L, p->maxstacksize);
+ luaD_checkstack(L, p->maxstacksize + p->numparams);
func = restorestack(L, funcr);
if (!p->is_vararg) { /* no varargs? */
base = func + 1;
I do not believe the CVE-2020-15888 and CVE-2020-15945 apply to any
version of Lua before 5.4, but it’s impossible to prove a negative, so
any reproducible crashes like this which work against an older Lua with
the CVE-2014-5461 patch applied will be needed before I believe these
new 2020 CVEs affect Lua 5.1 or what not.
-- Sam
