Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Aug 2014 16:31:27 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: possible overflow in vararg functions

Good morning,

An overflow was reported to have been fixed in Lua 5.2.2. A reproducer 
and patch are available from:

http://www.lua.org/bugs.html#5.2.2-1

The reproducer affects older versions too (such as 5.1.4). One way an 
attacker could trigger this issue is if they can control parameters to a 
loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua).

Could a CVE please be assigned if one has not been already?

Some notes:

valgrind shows this crashes with invalid writes, but I am not sure if 
this is really a stack or heap overflow but something else. In 
luaD_precall():

330       for (; n < p->numparams; n++)
331         setnilvalue(L->top++);  /* complete missing arguments */

This goes through 49 times with the reproducer (?possibly lifting what 
Lua thinks is the stack into the heap area?).

After that finishes:

333       ci = next_ci(L);

Results in a call to luaE_extendCI(), where the issue is triggered while 
attempting to call luaM_new() (I did not get further than this yet).

Thanks,

--
Murray McAllister / Red Hat Product Security

https://bugzilla.redhat.com/show_bug.cgi?id=1132304

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ