Re: heap-buffer-overflow found in luaG

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: heap-buffer-overflow found in luaG_errormsg
From: Ką Mykolas <kamicc@...>
Date: Fri, 13 May 2022 14:33:52 +0300

Can reproduce with Ubuntu 18.04 and bleeding edge Arch set-up.

On Fri, May 13, 2022 at 1:09 PM Jinwei Dong <jwdong2000@qq.com> wrote:
>
> Hello,
>
>
>
> I found a heap buffer overflow which can cause a heap double free error.
>
>
>
> Lua version: Lua 5.4.4  Copyright (C) 1994-2022 Lua.org, PUC-Rio
>
> Latest commit: 8426d9b4d4df1da3c5b2d759e509ae1c50a86667
>
>
>
> Platform: Ubuntu-20.04 x86_64
>
> Glibc version: GLIBC 2.31-0ubuntu9.9
>
>
>
> POC:
>
> ---------------
>
> #poc.lua
>
> print(
>
>     xpcall((0),
>
>         function(...)
>
>             local f
>
>             if d[print(print(print(print(t[...]))))] then
>
>             end
>
>         end
>
>     )
>
> )
>
> ---------------
>
>
>
> How to reprocude:
>
> ---------------
>
> 1. git clone https://github.com/lua/lua
>
> 2. cd lua && make
>
> 3. ./lua ./poc.lua
>
> ---------------
>
>
>
> Error message:
>
> ---------------
>
> double free or corruption (!prev)
>
> [1]    49704 abort (core dumped)  ./lua ./poc.lua
>
> ---------------
>
>
>
> Address Sanitizer log: see **attachment.txt**
>
>
>
> I apologise for putting the asan's logs directly into the body of the email in the previous mail which made the body too large to view, I have now put it into an attachment file
>
>
>
> And the stack backtrace is recursive, so this could be an error that occurs during some recursive processes.
>
>
>
> Found by: Jinwei Dong

References:
- heap-buffer-overflow found in luaG_errormsg, Jinwei Dong

Prev by Date: Re: ‘continue’ keyword
Next by Date: Re: ‘continue’ keyword
Previous by thread: heap-buffer-overflow found in luaG_errormsg
Next by thread: Re: heap-buffer-overflow found in luaG_errormsg
Index(es):
- Date
- Thread