Re: Crash Analysis: Finalizer Logic in singlestep function can lead to Sandbox Escape Exploit

lua-l archive

Subject: Re: Crash Analysis: Finalizer Logic in singlestep function can lead to Sandbox Escape Exploit
From: 김지회 <pascal4847@...>
Date: Tue, 30 Nov 2021 01:48:39 +0900

Many thanks for the prompt reply.

It's a good point that 'changing the mode' is just one of the possiblebad consequences.


It is obvious that we can't be sure that this is the only one.

(As you said, It's very hard to debug the garbage collecting problem...)

However, We cannot find another bad case that originate fromruntilstate's problem until now.


That's the reason why we patch the problem in this way.

In other words, the patch is just a hotfix to deal with the sandboxescape issue.



I would be very grateful if you find a proper way to patch the problem.

Would you let me know if any solution is accepted?

By the way, the signal parameter seems like a good idea, but I can'tfigure out how we can determine whether the finalizer should be skippedor not.



--Regards, Jihoi.

Follow-Ups:
- Re: Crash Analysis: Finalizer Logic in singlestep function can lead to Sandbox Escape Exploit, Roberto Ierusalimschy

References:
- Crash Analysis: Finalizer Logic in singlestep function can lead to Sandbox Escape Exploit, 김지회
- Re: Crash Analysis: Finalizer Logic in singlestep function can lead to Sandbox Escape Exploit, Roberto Ierusalimschy