[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Crash Analysis: Finalizer Logic in singlestep function can lead to Sandbox Escape Exploit
- From: Roberto Ierusalimschy <roberto@...>
- Date: Tue, 30 Nov 2021 11:45:08 -0300
> By the way, the signal parameter seems like a good idea, but I can't figure
> out how we can determine whether the finalizer should be skipped or not.
As a rule, we should run finalizers only after everything else we
have to do in the GC.
* There are 2 calls in 'entergen'. After it, we have this sequence:
entergen -> atomic2gen -> finishgencycle -> callallpendingfinalizers
So, luaC_runtilstate doesn't need to run finalizers, as they will
run anyway at the end of 'entergen'.
* There is 1 call in 'stepgenfull': That is the one creating
problems. Anyway, after that, we either call atomic2gen or call again
luaC_runtilstate; that one can do finalizations, as there is nothing
left to be done after that call.
* There are 3 calls in fullinc: again, only the last call needs to run