Re: Heap use after free in luaD

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Heap use after free in luaD_tryfuncTM
From: Roberto Ierusalimschy <roberto@...>
Date: Fri, 12 Nov 2021 10:09:57 -0300

> In https://github.com/lua/lua/blob/e8deac5a41ffd644aaa78fda6d4bd5caa72cb077/ldo.c#L391-L393
> a use after free can occure if checkstackGCp calls a garbage collector
> which rehashes the metatable into which the tm pointer points.

Many thanks for the report. (How did you find this bug? Just
inspection?) I believe this small change should fix the issue:

 StkId luaD_tryfuncTM (lua_State *L, StkId func) {
-  const TValue *tm = luaT_gettmbyobj(L, s2v(func), TM_CALL);
+  const TValue *tm;
   StkId p;
   checkstackGCp(L, 1, func);  /* space for metamethod */
+  tm = luaT_gettmbyobj(L, s2v(func), TM_CALL);
   if (l_unlikely(ttisnil(tm)))
     luaG_callerror(L, s2v(func));  /* nothing to call */

-- Roberto

Follow-Ups:
- Re: Heap use after free in luaD_tryfuncTM, Xmilia Hermit

References:
- Heap use after free in luaD_tryfuncTM, Xmilia Hermit

Prev by Date: Lua lvm.c tweak to allow userdata <-> String comparison
Next by Date: Re: Is there something like a lua_trypushstring() with return value? Could there be?
Previous by thread: Heap use after free in luaD_tryfuncTM
Next by thread: Re: Heap use after free in luaD_tryfuncTM
Index(es):
- Date
- Thread