CVE-2021-43519

[Guilhem Moulin <guilhem@...>]

Hi there,

The description of CVE-2021-43519 is as followed [0]:

| Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4
| allows attackers to perform a Denial of Service via a crafted script
| file.

I'm wondering about the “5.1.0~5.4.4” part.  According to the original thread [1]
it was fixed upstream by https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868
(v5.4.4) and appears to correspond to https://www.lua.org/bugs.html#5.4.3-7
which is marked as “existed since 5.4.2”.

I believe the issue was introduced upstream by
https://github.com/lua/lua/commit/287b302acb8d925178e9edb800f0a8d18c7d35f6#diff-a1e6f0be3689739fa1e5707427e78d792c7f6a333bed95fd05c4382d60bda7c4L687-R689
(v5.4.2) i.e., when incrementing L->nCcalls was moved to resume() from
lua_resume().  (As the original report mentions, resume() is called via
luaD_rawrunprotected() which resets the state on error.)

I'm able to reproduce the crash with v5.0 to v5.1.2, but I believe this is an
unrelated issue which is listed at https://www.lua.org/bugs.html#5.1.2-4 .
Similarly, the original PoC yields a crash with v5.2.0, which I believe is due
to this unrelated issue: https://www.lua.org/bugs.html#5.2.0-4 .  Either way,
I'm unable to reproduce the crash with v5.1.x from v5.1.3, nor with v5.2.x from
v5.2.1.

Furthermore I'm unable to reproduce the crash with any of the v5.3.x releases (built
from lua-all.tar.gz), and indeed there L->nCcalls is incremented in lua_resume()
i.e., outside LUAI_THROW: https://github.com/lua/lua/blob/v5.3.6/ldo.c#L658 .

Is the range of affected versions from the CVE description incorrect?  If so
could you please confirm that only v5.4.2 and v5.4.3 are affected, and that the
vulnerability was introduced by the aforementioned 287b302a?

Thanks!
Cheers,
-- 
Guilhem.

[0] https://www.cve.org/CVERecord?id=CVE-2021-43519
[1] http://lua-users.org/lists/lua-l/2021-10/msg00123.html
    http://lua-users.org/lists/lua-l/2021-11/msg00015.html