Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <53F5923F.5000402@redhat.com>
Date: Thu, 21 Aug 2014 16:31:27 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: possible overflow in vararg functions

Good morning,

An overflow was reported to have been fixed in Lua 5.2.2. A reproducer 
and patch are available from:

http://www.lua.org/bugs.html#5.2.2-1

The reproducer affects older versions too (such as 5.1.4). One way an 
attacker could trigger this issue is if they can control parameters to a 
loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua).

Could a CVE please be assigned if one has not been already?

Some notes:

valgrind shows this crashes with invalid writes, but I am not sure if 
this is really a stack or heap overflow but something else. In 
luaD_precall():

330       for (; n < p->numparams; n++)
331         setnilvalue(L->top++);  /* complete missing arguments */

This goes through 49 times with the reproducer (?possibly lifting what 
Lua thinks is the stack into the heap area?).

After that finishes:

333       ci = next_ci(L);

Results in a call to luaE_extendCI(), where the issue is triggered while 
attempting to call luaM_new() (I did not get further than this yet).

Thanks,

--
Murray McAllister / Red Hat Product Security

https://bugzilla.redhat.com/show_bug.cgi?id=1132304

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.