oss-sec mailing list archives
Re: CVE request: possible overflow in vararg functions
From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 21 Aug 2014 16:33:14 +1000
Additionally, Fedora has 5.2.2, but it does not have the fix, so even if shipping 5.2.2 it may be worth checking...
On 08/21/2014 04:31 PM, Murray McAllister wrote:
Good morning, An overflow was reported to have been fixed in Lua 5.2.2. A reproducer and patch are available from: http://www.lua.org/bugs.html#5.2.2-1 The reproducer affects older versions too (such as 5.1.4). One way an attacker could trigger this issue is if they can control parameters to a loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua). Could a CVE please be assigned if one has not been already? Some notes: valgrind shows this crashes with invalid writes, but I am not sure if this is really a stack or heap overflow but something else. In luaD_precall(): 330 for (; n < p->numparams; n++) 331 setnilvalue(L->top++); /* complete missing arguments */ This goes through 49 times with the reproducer (?possibly lifting what Lua thinks is the stack into the heap area?). After that finishes: 333 ci = next_ci(L); Results in a call to luaE_extendCI(), where the issue is triggered while attempting to call luaM_new() (I did not get further than this yet). Thanks, -- Murray McAllister / Red Hat Product Security https://bugzilla.redhat.com/show_bug.cgi?id=1132304
Current thread:
- CVE request: possible overflow in vararg functions Murray McAllister (Aug 20)
- Re: CVE request: possible overflow in vararg functions Murray McAllister (Aug 20)
- Lua CVE request [was Re: CVE request: possible overflow in vararg functions] Murray McAllister (Aug 20)
- Re: CVE request: possible overflow in vararg functions Florian Weimer (Aug 21)
- Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] cve-assign (Aug 25)
- Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] Florian Weimer (Aug 26)
- Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] cve-assign (Aug 26)
- Re: Lua CVE request [was Re: CVE request: possible overflow in vararg functions] cve-assign (Aug 25)
- Re: CVE request: possible overflow in vararg functions Murray McAllister (Aug 20)