Heap use after free in luaD

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Heap use after free in luaD_tryfuncTM
From: Xmilia Hermit <xmilia.hermit@...>
Date: Thu, 11 Nov 2021 00:26:27 +0100

Inhttps://github.com/lua/lua/blob/e8deac5a41ffd644aaa78fda6d4bd5caa72cb077/ldo.c#L391-L393a use after free can occure if checkstackGCp calls a garbage collectorwhich rehashes the metatable into which the tm pointer points.


To make the example more reliable lua was compiled with:

TESTS= -DLUA_USER_H='"ltests.h"' -O0 -g -DHARDSTACKTESTS=1-DHARDMEMTESTS=1 -fsanitize=address

in which case the following code will cause a heap-use-after-free errorby address sanitizer:


local x = {}
x.__call = function() end
setmetatable(x, x)

do
setmetatable({},{
    __gc = function()
        for i = 1, 100 do
            x["x"..i] = 1
        end
    end
})
end

return x()

Regards,
Xmilia

Follow-Ups:
- Re: Heap use after free in luaD_tryfuncTM, Roberto Ierusalimschy

Prev by Date: Re: Nested Userdata
Next by Date: Re: Nested Userdata
Previous by thread: Re: Nested Userdata
Next by thread: Re: Heap use after free in luaD_tryfuncTM
Index(es):
- Date
- Thread