 |
lua-l archive |
|
|
||
|
Hi! In the Lua 5.4.6 code, using static analysis, we found an error that could potentially lead to Null dereference. The Null value is explicitly passed as an argument to the luaG_findlocal() function and further along the algorithm there is a possibility of dereference of this passed value. Here is the trace leading to Null dereference: 1. In the ldebug.c file in the code of the luaG_findlocal() function, its fourth parameter 'pos' is passed to the findvararg() function without checking for Null (line 201): ``` const char *luaG_findlocal (lua_State *L, CallInfo *ci, int n, StkId *pos) { StkId base = ci->func.p + 1; const char *name = NULL; if (isLua(ci)) { if (n < 0) /* access to vararg values? */ return findvararg(ci, n, pos); ``` 2. Next, in the findvararg() function (in line 188 of the ldebug.c file), the pointer in the 'pos' variable is dereferenced. There is also no Null check: ``` static const char *findvararg (CallInfo *ci, int n, StkId *pos) { if (clLvalue(s2v(ci->func.p))->p->is_vararg) { int nextra = ci->u.l.nextraargs; if (n >= -nextra) { /* 'n' is negative */ *pos = ci->func.p - nextra - (n + 1); ``` 0. The luaG_findlocal() function with the ‘pos’ parameter, which is explicitly set to Null, is called in the lfunc.c file in the checkclosemth() function on line 129: ``` static void checkclosemth (lua_State *L, StkId level) { const TValue *tm = luaT_gettmbyobj(L, s2v(level), TM_CLOSE); if (ttisnil(tm)) { /* no metamethod? */ int idx = cast_int(level - L->ci->func.p); /* variable index */ const char *vname = luaG_findlocal(L, L->ci, idx, NULL); ``` This defect was detected using the Svace static analyzer during the work performed at the Technology Center for Linux Kernel Security Research (portal.linuxtesting.ru ). -- Regards, Roman Yudichev |