[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: heap-buffer-overflow in luaH_getshortstr
- From: Roberto Ierusalimschy <roberto@...>
- Date: Wed, 6 Apr 2022 10:37:05 -0300
> + roberto@
>
> Hello. May I claim for assign a CVE ID to this report?
Why would you not?
> 21.02.2022, 21:38, "Roberto Ierusalimschy" <roberto@inf.puc-rio.br>:
>
> I found a heap a heap buffer overflow on read in luaH_getshortstr
> function.
>
> Lua version:
> Lua 5.4.4 Copyright (C) 1994-2022 Lua.org, PUC-Rio (commit
> 5d708c3f9cae12820e415d4f89c9eacbe2ab964b)
>
> How to reprocude:
> ----------
> 1. git clone [1]https://github.com/lua/lua -q
> 2. cd lua/ && make -j$(nproc)
> 3. echo -n
> "bG9jYWwgdSxfLE4sXyx3LE4sZCxXCmZ1bmN0aW9uIGMoRSxMLGwsUyxULHUsTSxULGwsaCxoLHUsdSxsLGgsaCx1LHUsTSx1LHUsdSxsLGgsaCxsKXM9cyBsb2NhbAllLGUsXyxfLE4sZSxzMCxOLFYsXyBmdW5jdGlvbiBjKGIsbClpLHM9TiBsb2NhbCBjIGxvY2FsIF9FTlY8Y29uc3Q+ID0wIG89MCBmdW5jdGlvbiBlKCllbmQ7ZSIicmV0dXJuIGVuZDtlMCxhLHcscyxzLHM9IiJyZXR1cm4jYyIiZW5kO2VlPSIicmV0dXJuDGMiIg=="
> | base64 -d > poc
> 4. ./lua ./poc
> ----------
>
> Thanks for the report. It seems there is a 'luaK_exp2anyregup' missing
> in 'singlevar':
>
> --- a/lparser.c
> +++ b/lparser.c
> @@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
> expdesc key;
> singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
> lua_assert(var->k != VVOID); /* this one must exist */
> + luaK_exp2anyregup(fs, var); /* but could be a constant */
> codestring(&key, varname); /* key is variable name */
> luaK_indexed(fs, var, &key); /* env[varname] */
> }
>
> How did you find this bug?
>
> -- Roberto
>
>
>
>
> References
>
> Visible links
> 1. https://github.com/lua/lua
-- Roberto