Re: Found heap-buffer-overflow with grammar-based fuzzer

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Found heap-buffer-overflow with grammar-based fuzzer
From: Roberto Ierusalimschy <roberto@...>
Date: Thu, 16 Mar 2023 11:35:07 -0300

> > > I am researcher in software testing from the University of Stuttgart, Germany. We are testing grammar-based fuzzers and have chosen Lua as one of our fuzz targets for our experiments. We found 2 issues in Lua, but one of those seems to be already fixed in recent versions. Thus, here is the remaining issue we found, which still results in a crash in the current Lua version.
> > 
> > Thanks for the report.
> > 
> > I've been unable to reproduce this bug. Did you use any special value
> > for the variable ASAN_OPTIONS? What compiler/version are you using?
> 
> Could you do the following change to lundump.c and run the example again?
> 
> @@ -248,6 +248,7 @@ static void loadDebug (LoadState *S, Proto *f) {
>      f->locvars[i].endpc = loadInt(S);
>    }
>    n = loadInt(S);
> +printf("%d %d\n", n, f->sizeupvalues);
>    for (i = 0; i < n; i++)
>      f->upvalues[i].name = loadStringN(S, f);
>  }
> 
> (The two printed numbers should be equal...)

Was anyone able to reproduce that buffer overflow? If so, would it be
possible to try this previous experience?

Many thanks,

-- Roberto

References:
- Found heap-buffer-overflow with grammar-based fuzzer, Betka, Maik
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Roberto Ierusalimschy
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Roberto Ierusalimschy

Prev by Date: Re: Entropy in the implementation of Lua
Next by Date: RE: Found heap-buffer-overflow with grammar-based fuzzer
Previous by thread: Re: Found heap-buffer-overflow with grammar-based fuzzer
Next by thread: RE: Found heap-buffer-overflow with grammar-based fuzzer
Index(es):
- Date
- Thread