Re: Found heap-buffer-overflow with grammar-based fuzzer

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Found heap-buffer-overflow with grammar-based fuzzer
From: Alexander Chernoskutov <alecherov@...>
Date: Thu, 16 Mar 2023 19:16:33 +0400

Hello everyone!

Could someone please assess, is this bug exploitable from the securitypoint of view? Is it possible to potentially escape the interpreter andrun arbitrary code (on a system with no memory protection), or memorycorruption is unpredictable?


--

Regards, Alexander Ch


On 16.03.2023 19:04, Roberto Ierusalimschy wrote:

Hello,

at first, I couldn't reproduce the bug when I copied it from the email. So I guess there must be a particular byte-sequence present in the file to trigger it. When I used the original file (see attachment), however, it worked.

gcc version 11.3.1 20220421 (Red Hat 11.3.1-2) (GCC)

See the output of your requested code modification:

$ cat ~/test1.lua | ./lua
0 0
1 1
1 1
1 1
0 0
1 1
180480 1

That seems to nail it. I was able to reproduce the bug now (with your
attachment and valgrind), and the overflow is exactly that problem
pointed out by Xmilia.

-- Roberto

Follow-Ups:
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Xmilia Hermit

References:
- Found heap-buffer-overflow with grammar-based fuzzer, Betka, Maik
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Roberto Ierusalimschy
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Roberto Ierusalimschy
- RE: Found heap-buffer-overflow with grammar-based fuzzer, Betka, Maik
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Roberto Ierusalimschy

Prev by Date: RE: Found heap-buffer-overflow with grammar-based fuzzer
Next by Date: Re: Found heap-buffer-overflow with grammar-based fuzzer
Previous by thread: Re: Found heap-buffer-overflow with grammar-based fuzzer
Next by thread: Re: Found heap-buffer-overflow with grammar-based fuzzer
Index(es):
- Date
- Thread