oss-sec mailing list archives

CVE request: possible overflow in vararg functions

From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 21 Aug 2014 16:31:27 +1000

Good morning,

An overflow was reported to have been fixed in Lua 5.2.2. A reproducerand patch are available from:


http://www.lua.org/bugs.html#5.2.2-1

The reproducer affects older versions too (such as 5.1.4). One way anattacker could trigger this issue is if they can control parameters to aloadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua).


Could a CVE please be assigned if one has not been already?

Some notes:

valgrind shows this crashes with invalid writes, but I am not sure ifthis is really a stack or heap overflow but something else. InluaD_precall():


330       for (; n < p->numparams; n++)
331         setnilvalue(L->top++);  /* complete missing arguments */

This goes through 49 times with the reproducer (?possibly lifting whatLua thinks is the stack into the heap area?).


After that finishes:

333       ci = next_ci(L);

Results in a call to luaE_extendCI(), where the issue is triggered whileattempting to call luaM_new() (I did not get further than this yet).


Thanks,

--
Murray McAllister / Red Hat Product Security

https://bugzilla.redhat.com/show_bug.cgi?id=1132304

Current thread:

CVE request: possible overflow in vararg functions Murray McAllister (Aug 20)
- Re: CVE request: possible overflow in vararg functions Murray McAllister (Aug 20)
  - Lua CVE request [was Re: CVE request: possible overflow in vararg functions] Murray McAllister (Aug 20)
- Re: CVE request: possible overflow in vararg functions Florian Weimer (Aug 21)
  - Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] cve-assign (Aug 25)
    - Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] Florian Weimer (Aug 26)
    - Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] cve-assign (Aug 26)