Date: Thu, 21 Aug 2014 16:31:27 +1000 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request: possible overflow in vararg functions Good morning, An overflow was reported to have been fixed in Lua 5.2.2. A reproducer and patch are available from: http://www.lua.org/bugs.html#5.2.2-1 The reproducer affects older versions too (such as 5.1.4). One way an attacker could trigger this issue is if they can control parameters to a loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua). Could a CVE please be assigned if one has not been already? Some notes: valgrind shows this crashes with invalid writes, but I am not sure if this is really a stack or heap overflow but something else. In luaD_precall(): 330 for (; n < p->numparams; n++) 331 setnilvalue(L->top++); /* complete missing arguments */ This goes through 49 times with the reproducer (?possibly lifting what Lua thinks is the stack into the heap area?). After that finishes: 333 ci = next_ci(L); Results in a call to luaE_extendCI(), where the issue is triggered while attempting to call luaM_new() (I did not get further than this yet). Thanks, -- Murray McAllister / Red Hat Product Security https://bugzilla.redhat.com/show_bug.cgi?id=1132304
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.