Re: Error handling with To-be-closed variable declared inside coroutine causes use-after-free read/write

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Error handling with To-be-closed variable declared inside coroutine causes use-after-free read/write
From: Roberto Ierusalimschy <roberto@...>
Date: Tue, 2 Nov 2021 13:23:57 -0300

> I found an interesting crash on Lua interpreter.
> (Ubuntu 20.04 LTS / glibc 2.3.1 / Lua 5.4.4 commit hash
> 0e5071b5fbcc244d9f8c4bae82e327ad59bccc3f)
> 
> Code below generates use after read crash with address-sanitizer applied.
> ---------------------------------------------------------------------------------------------------
> 1 co = coroutine.wrap(
> 2   function()
> 3     local pcall <close> = setmetatable(
> 4       {}, {__close = function() pcall(co) end}
> 5     )
> 6     pcall()
> 7   end
> 8 )
> 9 co()
> [...]

Many thanks for the report. (Is there any special reason to call
the variable 'pcall'? The crash seems to happen with any name.)

-- Roberto

Follow-Ups:
- Re: Error handling with To-be-closed variable declared inside coroutine causes use-after-free read/write, MinSeok Kang

Prev by Date: Re: Bug report: Concat operator parsing error.
Next by Date: Re: Crash: Recursive coroutine with pcall leads to stackoverflow of interpreter
Previous by thread: Re: Bug report: Concat operator parsing error.
Next by thread: Re: Error handling with To-be-closed variable declared inside coroutine causes use-after-free read/write
Index(es):
- Date
- Thread