[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Memory corruption in in luaV_execute (lua/Test_lua/lua/lvm.c:1784)
- From: Andrew Gierth <andrew@...>
- Date: Mon, 31 Aug 2020 15:14:53 +0100
>>>>> "Luiz" == Luiz Henrique de Figueiredo <firstname.lastname@example.org> writes:
>> > v55 = string.dump(v19)
>> > v56 = string.format(v55,v16,v6)
>> > v58 = load(v56)
>> This dumps the byte code of v19, then potentially mutilates the dump,
>> then tries to load the potentially malformed byte code. Which, per the
>> documentation, "can crash the interpreter".
Luiz> Loading malformed bytecode should not crash Lua.
Luiz> Running maliciously crafted bytecode can crash the interpreter.
The code in question does in fact run the malformed bytecode:
v55 = string.dump(v19)
v56 = string.format(v55,v16,v6)
v58 = load(v56)
-- at this point, v58 is a function value with invalid bytecode;
v59 = load(v58)
-- load(x) where x is a function assumes that x is a reader function,
-- to be called in order to obtain chunks of input. So v58 is called
-- from inside load(), via generic_reader -> lua_callk -> luaV_execute
-- which then crashes due to the malformed code.
Regardless, the answer is "don't mutilate the bytecode". Sandboxes that
need to prevent the user crashing the interpreter obviously have to
disable the binary load option (along with preventing access to the
debug library, etc.)