Re: CVE request: possible overflow in vararg functions

[Murray McAllister <mmcallis () redhat com>]

Additionally, Fedora has 5.2.2, but it does not have the fix, so even if 
shipping 5.2.2 it may be worth checking...

On 08/21/2014 04:31 PM, Murray McAllister wrote:
> Good morning,
>
> An overflow was reported to have been fixed in Lua 5.2.2. A reproducer
> and patch are available from:
>
> http://www.lua.org/bugs.html#5.2.2-1
>
> The reproducer affects older versions too (such as 5.1.4). One way an
> attacker could trigger this issue is if they can control parameters to a
> loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua).
>
> Could a CVE please be assigned if one has not been already?
>
> Some notes:
>
> valgrind shows this crashes with invalid writes, but I am not sure if
> this is really a stack or heap overflow but something else. In
> luaD_precall():
>
> 330       for (; n < p->numparams; n++)
> 331         setnilvalue(L->top++);  /* complete missing arguments */
>
> This goes through 49 times with the reproducer (?possibly lifting what
> Lua thinks is the stack into the heap area?).
>
> After that finishes:
>
> 333       ci = next_ci(L);
>
> Results in a call to luaE_extendCI(), where the issue is triggered while
> attempting to call luaM_new() (I did not get further than this yet).
>
> Thanks,
>
> --
> Murray McAllister / Red Hat Product Security
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1132304