lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Hello everyone!

Could someone please assess, is this bug exploitable from the security point of view? Is it possible to potentially escape the interpreter and run arbitrary code (on a system with no memory protection), or memory corruption is unpredictable?


Regards, Alexander Ch

On 16.03.2023 19:04, Roberto Ierusalimschy wrote:

at first, I couldn't reproduce the bug when I copied it from the email. So I guess there must be a particular byte-sequence present in the file to trigger it. When I used the original file (see attachment), however, it worked.

gcc version 11.3.1 20220421 (Red Hat 11.3.1-2) (GCC)

See the output of your requested code modification:

$ cat ~/test1.lua | ./lua
0 0
1 1
1 1
1 1
0 0
1 1
180480 1
That seems to nail it. I was able to reproduce the bug now (with your
attachment and valgrind), and the overflow is exactly that problem
pointed out by Xmilia.

-- Roberto