[prev in list] [next in list] [prev in thread] [next in thread]
List: lua-l
Subject: =?utf-8?Q?=E5=9B=9E=E5=A4=8D:_heap-buffer-overflow_found_in_luaG=5Ferrorm?=
From: Jinwei Dong <jwdong2000 () qq ! com>
Date: 2022-05-14 8:25:32
Message-ID: tencent_EEA1CAAB9498770F5B88D22B382F5BF7AE05 () qq ! com
[Download RAW message or body]
Roberto Ierusalimschy wrote:
> > > I found a heap buffer overflow which can cause a heap double
> > free error.
> > [...]
> The problem seems to be the use of the EXTRA_STACK at luaG_errormsg.
> luaG_errormsg calls luaD_callnoyield, which calls luaD_precall, which
> checks the stack and grows it if needed. However, there can be an error
> before that, in luaE_checkcstack. If luaE_checkcstack raises an error
> (C stack overflow), then luaG_errormsg will be called again without any
> stack check in-between, and then it will again assume EXTRA_STACK and
> that may cause a buffer overflow.
>
> -- Roberto
My debugging results (previous mail) are basically the same as your idea.
[Attachment #3 (unknown)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type \
content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 \
(filtered medium)"><style><!-- /* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:DengXian;}
.MsoChpDefault
{mso-style-type:export-only;}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=ZH-CN link=blue vlink="#954F72" \
style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span \
lang=EN-US>Roberto Ierusalimschy wrote:</span></p><p class=MsoNormal><span \
lang=EN-US>> > > I found a heap buffer overflow which can cause a heap \
double</span></p><p class=MsoNormal><span lang=EN-US>> > free \
error.</span></p><p class=MsoNormal><span lang=EN-US>> > [...] </span></p><p \
class=MsoNormal><span lang=EN-US>> The problem seems to be the use of the \
EXTRA_STACK at luaG_errormsg.</span></p><p class=MsoNormal><span lang=EN-US>> \
luaG_errormsg calls luaD_callnoyield, which calls luaD_precall, which</span></p><p \
class=MsoNormal><span lang=EN-US>> checks the stack and grows it if needed. \
However, there can be an error</span></p><p class=MsoNormal><span lang=EN-US>> \
before that, in luaE_checkcstack. If luaE_checkcstack raises an error</span></p><p \
class=MsoNormal><span lang=EN-US>> (C stack overflow), then luaG_errormsg will be \
called again without any</span></p><p class=MsoNormal><span lang=EN-US>> stack \
check in-between, and then it will again assume EXTRA_STACK and</span></p><p \
class=MsoNormal><span lang=EN-US>> that may cause a buffer overflow.</span></p><p \
class=MsoNormal><span lang=EN-US>> </span></p><p class=MsoNormal><span \
lang=EN-US>> -- Roberto</span></p><p class=MsoNormal><span \
lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>My \
debugging results (previous mail) are basically the same as your \
idea.</span></p></div></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic