heap buffer overflow in luaC

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: heap buffer overflow in luaC_newobjdt
From: Sergey Bronnikov <sergeyb@...>
Date: Sat, 16 Dec 2023 18:32:09 +0300

Hello!

I've discovered a heap buffer overflow in a current version of PUC Rio Lua

(commit hash 7923dbbf72da303ca1cca17efd24725668992f15).

With Lua 64-bit it is not reproduced, but Lua eats enormous amount ofmemory.


How to reproduce:

Build Lua 32-bit with enabled Address Sanitizer:

CC=clang CXX=clang++ CFLAGS="-march=i686 -m32 -fsanitize=address"LDFLAGS="-march=i686 -m32 -fsanitize=address" make


Run Lua code:

./lua -e "local a = 'Name' for b = -1000, 0 do a = a .. '____________'.. a .. '____________' .. a .. a .. '____________' end"


Execution is aborted by ASAN with the following report:

=================================================================

==365438==ERROR: AddressSanitizer: heap-buffer-overflow on address0xf58006f5 at pc 0x5670f836 bp 0xffd08e88 sp 0xffd08e80

WRITE of size 1 at 0xf58006f5 thread T0

#0 0x5670f835 in luaC_newobjdt/home/sergeyb/sources/cache/lua/lgc.c:262:13 #1 0x5670f835 in luaC_newobj/home/sergeyb/sources/cache/lua/lgc.c:271:10 #2 0x56740812 in createstrobj/home/sergeyb/sources/cache/lua/lstring.c:148:7 #3 0x56740812 in luaS_createlngstrobj/home/sergeyb/sources/cache/lua/lstring.c:158:17 #4 0x56755c88 in luaV_concat/home/sergeyb/sources/cache/lua/lvm.c:676:14 #5 0x567580bb in luaV_execute/home/sergeyb/sources/cache/lua/lvm.c:1584:9

    #6 0x56704ead in ccall /home/sergeyb/sources/cache/lua/ldo.c:637:5

#7 0x56704ead in luaD_callnoyield/home/sergeyb/sources/cache/lua/ldo.c:655:3

    #8 0x566f26ee in f_call /home/sergeyb/sources/cache/lua/lapi.c:1038:3

#9 0x566ff567 in luaD_rawrunprotected/home/sergeyb/sources/cache/lua/ldo.c:144:3 #10 0x56706742 in luaD_pcall/home/sergeyb/sources/cache/lua/ldo.c:953:12 #11 0x566f231e in lua_pcallk/home/sergeyb/sources/cache/lua/lapi.c:1064:14

    #12 0x566e1d6e in docall /home/sergeyb/sources/cache/lua/lua.c:160:12

#13 0x566e0eac in handle_script/home/sergeyb/sources/cache/lua/lua.c:264:14

    #14 0x566e0eac in pmain /home/sergeyb/sources/cache/lua/lua.c:653:9
    #15 0x56703969 in precallC /home/sergeyb/sources/cache/lua/ldo.c:529:7
    #16 0x567044a7 in luaD_precall /home/sergeyb/sources/cache/lua/ldo.c
    #17 0x56704e7c in ccall /home/sergeyb/sources/cache/lua/ldo.c:635:13

#18 0x56704e7c in luaD_callnoyield/home/sergeyb/sources/cache/lua/ldo.c:655:3

    #19 0x566f26ee in f_call /home/sergeyb/sources/cache/lua/lapi.c:1038:3

#20 0x566ff567 in luaD_rawrunprotected/home/sergeyb/sources/cache/lua/ldo.c:144:3 #21 0x56706742 in luaD_pcall/home/sergeyb/sources/cache/lua/ldo.c:953:12 #22 0x566f231e in lua_pcallk/home/sergeyb/sources/cache/lua/lapi.c:1064:14

    #23 0x566e0082 in main /home/sergeyb/sources/cache/lua/lua.c:681:12

#24 0xf7a21518 (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId:7f64b917aaa97b9680d8e44931bf7611c5a1f036) #25 0xf7a215f2 in __libc_start_main(/lib/i386-linux-gnu/libc.so.6+0x215f2) (BuildId:7f64b917aaa97b9680d8e44931bf7611c5a1f036) #26 0x565fd64a in _start(/home/sergeyb/sources/cache/lua/lua+0x2264a) (BuildId:066e129ddc145c39f3e3d982db81e03730fec0ba)


0xf58006f5 is located 0 bytes after 5-byte region [0xf58006f0,0xf58006f5)
allocated by thread T0 here:

#0 0x5669f242 in realloc(/home/sergeyb/sources/cache/lua/lua+0xc4242) (BuildId:066e129ddc145c39f3e3d982db81e03730fec0ba) #1 0x56771877 in l_alloc/home/sergeyb/sources/cache/lua/lauxlib.c:1024:12

SUMMARY: AddressSanitizer: heap-buffer-overflow/home/sergeyb/sources/cache/lua/lgc.c:262:13 in luaC_newobjdt

Shadow bytes around the buggy address:
  0xf5800400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0xf5800480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0xf5800500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0xf5800580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0xf5800600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0xf5800680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[05]fa
  0xf5800700: fa fa 00 fa fa fa fd fd fa fa fd fa fa fa fd fa
  0xf5800780: fa fa fd fd fa fa 00 00 fa fa fa fa fa fa fa fa
  0xf5800800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0xf5800880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0xf5800900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==365438==ABORTING

(originally reported in OSS Fuzz,https://oss-fuzz.com/testcase-detail/5024199630258176)



Sergey

Follow-Ups:
- Re: heap buffer overflow in luaC_newobjdt, Mouse
- Re: heap buffer overflow in luaC_newobjdt, Roberto Ierusalimschy

Prev by Date: Re: New lua-l hosted at Google Groups
Next by Date: Re: heap buffer overflow in luaC_newobjdt
Previous by thread: [Meta] Alternative to heated discussions on the replacement to mailing list etc
Next by thread: Re: heap buffer overflow in luaC_newobjdt
Index(es):
- Date
- Thread