Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Aug 2014 16:33:14 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: possible overflow in vararg functions

Additionally, Fedora has 5.2.2, but it does not have the fix, so even if 
shipping 5.2.2 it may be worth checking...

On 08/21/2014 04:31 PM, Murray McAllister wrote:
> Good morning,
>
> An overflow was reported to have been fixed in Lua 5.2.2. A reproducer
> and patch are available from:
>
> http://www.lua.org/bugs.html#5.2.2-1
>
> The reproducer affects older versions too (such as 5.1.4). One way an
> attacker could trigger this issue is if they can control parameters to a
> loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua).
>
> Could a CVE please be assigned if one has not been already?
>
> Some notes:
>
> valgrind shows this crashes with invalid writes, but I am not sure if
> this is really a stack or heap overflow but something else. In
> luaD_precall():
>
> 330       for (; n < p->numparams; n++)
> 331         setnilvalue(L->top++);  /* complete missing arguments */
>
> This goes through 49 times with the reproducer (?possibly lifting what
> Lua thinks is the stack into the heap area?).
>
> After that finishes:
>
> 333       ci = next_ci(L);
>
> Results in a call to luaE_extendCI(), where the issue is triggered while
> attempting to call luaM_new() (I did not get further than this yet).
>
> Thanks,
>
> --
> Murray McAllister / Red Hat Product Security
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1132304

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.