[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: heap-buffer-overflow in luaH_getshortstr
- From: Roberto Ierusalimschy <roberto@...>
- Date: Mon, 21 Feb 2022 15:38:54 -0300
> I found a heap a heap buffer overflow on read in luaH_getshortstr
> function.
>
> Lua version:
> Lua 5.4.4 Copyright (C) 1994-2022 Lua.org, PUC-Rio (commit
> 5d708c3f9cae12820e415d4f89c9eacbe2ab964b)
>
> How to reprocude:
> ----------
> 1. git clone https://github.com/lua/lua -q
> 2. cd lua/ && make -j$(nproc)
> 3. echo -n
> "bG9jYWwgdSxfLE4sXyx3LE4sZCxXCmZ1bmN0aW9uIGMoRSxMLGwsUyxULHUsTSxULGwsaCxoLHUsdSxsLGgsaCx1LHUsTSx1LHUsdSxsLGgsaCxsKXM9cyBsb2NhbAllLGUsXyxfLE4sZSxzMCxOLFYsXyBmdW5jdGlvbiBjKGIsbClpLHM9TiBsb2NhbCBjIGxvY2FsIF9FTlY8Y29uc3Q+ID0wIG89MCBmdW5jdGlvbiBlKCllbmQ7ZSIicmV0dXJuIGVuZDtlMCxhLHcscyxzLHM9IiJyZXR1cm4jYyIiZW5kO2VlPSIicmV0dXJuDGMiIg=="
> | base64 -d > poc
> 4. ./lua ./poc
> ----------
Thanks for the report. It seems there is a 'luaK_exp2anyregup' missing
in 'singlevar':
--- a/lparser.c
+++ b/lparser.c
@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
expdesc key;
singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
lua_assert(var->k != VVOID); /* this one must exist */
+ luaK_exp2anyregup(fs, var); /* but could be a constant */
codestring(&key, varname); /* key is variable name */
luaK_indexed(fs, var, &key); /* env[varname] */
}
How did you find this bug?
-- Roberto