Re: heap-buffer-overflow found in luaG

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: heap-buffer-overflow found in luaG_errormsg
From: Roberto Ierusalimschy <roberto@...>
Date: Fri, 13 May 2022 15:41:17 -0300

> > I found a heap buffer overflow which can cause a heap double free error.
> [...]

The problem seems to be the use of the EXTRA_STACK at luaG_errormsg.
luaG_errormsg calls luaD_callnoyield, which calls luaD_precall, which
checks the stack and grows it if needed. However, there can be an error
before that, in luaE_checkcstack. If luaE_checkcstack raises an error
(C stack overflow), then luaG_errormsg will be called again without any
stack check in-between, and then it will again assume EXTRA_STACK and
that may cause a buffer overflow.

-- Roberto

Follow-Ups:
- 回复: heap-buffer-overflow found in luaG_errormsg, Jinwei Dong
- 回复: heap-buffer-overflow found in luaG_errormsg, Jinwei Dong

References:
- heap-buffer-overflow found in luaG_errormsg, Jinwei Dong
- Re: heap-buffer-overflow found in luaG_errormsg, Roberto Ierusalimschy

Prev by Date: Re: heap-buffer-overflow found in luaG_errormsg
Next by Date: Re: ‘continue’ keyword
Previous by thread: Re: heap-buffer-overflow found in luaG_errormsg
Next by thread: 回复: heap-buffer-overflow found in luaG_errormsg
Index(es):
- Date
- Thread