Re: Found heap-buffer-overflow with grammar-based fuzzer

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Found heap-buffer-overflow with grammar-based fuzzer
From: Roberto Ierusalimschy <roberto@...>
Date: Wed, 15 Mar 2023 17:04:39 -0300

> > > Loading binary files should be resistant to bad data.
> > 
> > I would say that it is not resistant to bad data. Have a look at https://github.com/lua/lua/blob/c4b71b7ba0dee419b5bda1ec297eca8e42c9f1d2/lundump.c#L250-L252
> > were n is loaded and can cause a buffer overflow when it is larger than
> > the allocated upvalues array.
> 
> That seems to be a bug, thanks for the report.

Actually, there is a good chance that it is *the* bug. Although I'm
unable to replicate the buffer overflow, the gsub seems to be
changing the number of upvalues of a closure, so it is reasonable
that a subsequent read of the dubg information (which should have
the same number of upvalues) can cause a buffer overflow.

-- Roberto

References:
- Found heap-buffer-overflow with grammar-based fuzzer, Betka, Maik
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Javier Guerra Giraldez
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Roberto Ierusalimschy
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Xmilia Hermit
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Roberto Ierusalimschy

Prev by Date: Re: Found heap-buffer-overflow with grammar-based fuzzer
Next by Date: Re: Found heap-buffer-overflow with grammar-based fuzzer
Previous by thread: Re: Found heap-buffer-overflow with grammar-based fuzzer
Next by thread: Re: Found heap-buffer-overflow with grammar-based fuzzer
Index(es):
- Date
- Thread