several bugs related to precompiled code

author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2008-04-01 16:17:48 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2008-04-01 16:17:48 -0300
commit: e64b0cada8909b97029c7fcccf12e312e7d2a9c9 (patch)
tree: 04584a55dc4d83510ce655d93685631d76110f07
parent: 7316d61a66a3dda73009d9bcf9b1bc63351b3563 (diff)
download: lua-e64b0cada8909b97029c7fcccf12e312e7d2a9c9.tar.gz
lua-e64b0cada8909b97029c7fcccf12e312e7d2a9c9.tar.bz2
lua-e64b0cada8909b97029c7fcccf12e312e7d2a9c9.zip
1 files changed, 53 insertions, 0 deletions
diff --git a/bugs b/bugs
index 1dbca762..a52ba06d 100644
--- a/bugs
+++ b/bugs
@@ -1797,9 +1797,62 @@ patch = [[
 }
 Bug{
+what = [[The validator for precompiled code has several flaws that
+allow malicious binary code to crash the application]],
+report = [[Peter Cawley, on 2008/03/24]],
+since = [[5.0]],
+example = [[
+a = string.dump(function()return;end)
+a = a:gsub(string.char(30,37,122,128), string.char(34,0,0), 1)
+loadstring(a)()
+]],
+patch = [[ ]],
+}
+Bug{
+what = [[maliciously crafted precompiled code can blow the C stack]],
+report = [[Greg Falcon, on 2008/03/25]],
+since = [[5.0]],
+example = [[
+function crash(depth)
+  local init = '\27\76\117\97\81\0\1\4\4\4\8\0\7\0\0\0\61\115\116' ..
+               '\100\105\110\0\1\0\0\0\1\0\0\0\0\0\0\2\2\0\0\0\36' ..
+               '\0\0\0\30\0\128\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0' ..
+               '\1\0\0\0\0\0\0\2'
+  local mid = '\1\0\0\0\30\0\128\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0'
+  local fin = '\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\2\0' ..
+              '\0\0\97\0\1\0\0\0\1\0\0\0\0\0\0\0'
+  local lch = '\2\0\0\0\36\0\0\0\30\0\128\0\0\0\0\0\1\0\0\0\0\0\0' ..
+              '\0\1\0\0\0\1\0\0\0\0\0\0\2'
+  local rch = '\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\2\0' ..
+              '\0\0\97\0\1\0\0\0\1'
+  for i=1,depth do lch,rch = lch..lch,rch..rch end
+  loadstring(init .. lch .. mid .. rch .. fin)
+end
+for i=1,25 do print(i); crash(i) end
+]],
+patch = [[ ]],
+}
+Bug{
+what = [[code validator may reject (maliciously crafted) correct code]],
+report = [[Greg Falcon, on 2008/03/26]],
+since = [[5.0]],
+example = [[
+z={}
+for i=1,27290 do z[i]='1,' end
+z = 'if 1+1==2 then local a={' .. table.concat(z) .. '} end'
+func = loadstring(z)
+print(loadstring(string.dump(func)))
+]],
+patch = [[ ]],
+}
+Bug{
 what = [[ ]],
 report = [[ , on ]],
 since = [[i ]],
 example = [[ ]],
 patch = [[ ]],
 }
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2008-04-01 16:17:48 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2008-04-01 16:17:48 -0300
commit	e64b0cada8909b97029c7fcccf12e312e7d2a9c9 (patch)
tree	04584a55dc4d83510ce655d93685631d76110f07
parent	7316d61a66a3dda73009d9bcf9b1bc63351b3563 (diff)
download	lua-e64b0cada8909b97029c7fcccf12e312e7d2a9c9.tar.gz lua-e64b0cada8909b97029c7fcccf12e312e7d2a9c9.tar.bz2 lua-e64b0cada8909b97029c7fcccf12e312e7d2a9c9.zip

diff --git a/bugs b/bugs index 1dbca762..a52ba06d 100644 --- a/bugs +++ b/bugs
@@ -1797,9 +1797,62 @@ patch = [[
1797	}	1797	}
1798		1798
1799	Bug{	1799	Bug{
		1800	what = [[The validator for precompiled code has several flaws that
		1801	allow malicious binary code to crash the application]],
		1802	report = [[Peter Cawley, on 2008/03/24]],
		1803	since = [[5.0]],
		1804	example = [[
		1805	a = string.dump(function()return;end)
		1806	a = a:gsub(string.char(30,37,122,128), string.char(34,0,0), 1)
		1807	loadstring(a)()
		1808	]],
		1809	patch = [[ ]],
		1810	}
		1811
		1812	Bug{
		1813	what = [[maliciously crafted precompiled code can blow the C stack]],
		1814	report = [[Greg Falcon, on 2008/03/25]],
		1815	since = [[5.0]],
		1816	example = [[
		1817	function crash(depth)
		1818	local init = '\27\76\117\97\81\0\1\4\4\4\8\0\7\0\0\0\61\115\116' ..
		1819	'\100\105\110\0\1\0\0\0\1\0\0\0\0\0\0\2\2\0\0\0\36' ..
		1820	'\0\0\0\30\0\128\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0' ..
		1821	'\1\0\0\0\0\0\0\2'
		1822	local mid = '\1\0\0\0\30\0\128\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0'
		1823	local fin = '\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\2\0' ..
		1824	'\0\0\97\0\1\0\0\0\1\0\0\0\0\0\0\0'
		1825	local lch = '\2\0\0\0\36\0\0\0\30\0\128\0\0\0\0\0\1\0\0\0\0\0\0' ..
		1826	'\0\1\0\0\0\1\0\0\0\0\0\0\2'
		1827	local rch = '\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\2\0' ..
		1828	'\0\0\97\0\1\0\0\0\1'
		1829	for i=1,depth do lch,rch = lch..lch,rch..rch end
		1830	loadstring(init .. lch .. mid .. rch .. fin)
		1831	end
		1832	for i=1,25 do print(i); crash(i) end
		1833	]],
		1834	patch = [[ ]],
		1835	}
		1836
		1837	Bug{
		1838	what = [[code validator may reject (maliciously crafted) correct code]],
		1839	report = [[Greg Falcon, on 2008/03/26]],
		1840	since = [[5.0]],
		1841	example = [[
		1842	z={}
		1843	for i=1,27290 do z[i]='1,' end
		1844	z = 'if 1+1==2 then local a={' .. table.concat(z) .. '} end'
		1845	func = loadstring(z)
		1846	print(loadstring(string.dump(func)))
		1847	]],
		1848	patch = [[ ]],
		1849	}
		1850
		1851	Bug{
1800	what = [[ ]],	1852	what = [[ ]],
1801	report = [[ , on ]],	1853	report = [[ , on ]],
1802	since = [[i ]],	1854	since = [[i ]],
1803	example = [[ ]],	1855	example = [[ ]],
1804	patch = [[ ]],	1856	patch = [[ ]],
1805	}	1857	}
		1858