Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Aug 2014 16:34:35 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Lua CVE request [was Re: CVE request: possible overflow in vararg
 functions]

Last spam, changing the subject so it is obvious where the issue is.

On 08/21/2014 04:33 PM, Murray McAllister wrote:
> Additionally, Fedora has 5.2.2, but it does not have the fix, so even if
> shipping 5.2.2 it may be worth checking...
>
> On 08/21/2014 04:31 PM, Murray McAllister wrote:
>> Good morning,
>>
>> An overflow was reported to have been fixed in Lua 5.2.2. A reproducer
>> and patch are available from:
>>
>> http://www.lua.org/bugs.html#5.2.2-1
>>
>> The reproducer affects older versions too (such as 5.1.4). One way an
>> attacker could trigger this issue is if they can control parameters to a
>> loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua).
>>
>> Could a CVE please be assigned if one has not been already?
>>
>> Some notes:
>>
>> valgrind shows this crashes with invalid writes, but I am not sure if
>> this is really a stack or heap overflow but something else. In
>> luaD_precall():
>>
>> 330       for (; n < p->numparams; n++)
>> 331         setnilvalue(L->top++);  /* complete missing arguments */
>>
>> This goes through 49 times with the reproducer (?possibly lifting what
>> Lua thinks is the stack into the heap area?).
>>
>> After that finishes:
>>
>> 333       ci = next_ci(L);
>>
>> Results in a call to luaE_extendCI(), where the issue is triggered while
>> attempting to call luaM_new() (I did not get further than this yet).
>>
>> Thanks,
>>
>> --
>> Murray McAllister / Red Hat Product Security
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1132304
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ