From 89aee84cbc9224f638f3b7951b306d2ee8ecb71e Mon Sep 17 00:00:00 2001 From: Roberto Ierusalimschy Date: Wed, 27 Mar 2019 14:30:12 -0300 Subject: Fixed bug in 'lua_upvaluejoin' Bug-fix: joining an upvalue with itself could cause a use-after-free crash. --- bugs | 64 +++++++++++++++++++++++++++++++++------------------------------- 1 file changed, 33 insertions(+), 31 deletions(-) (limited to 'bugs') diff --git a/bugs b/bugs index 91899ce3..84cd3c2d 100644 --- a/bugs +++ b/bugs @@ -357,7 +357,7 @@ co = coroutine.create(co_func) coroutine.resume(co) coroutine.resume(co) --> seg. fault ]], -report = [[by Alex Bilyk, 09/05/2003]], +report = [[by Alex Bilyk, 09/05/2003]], patch = [[ * ldo.c: 325,326c325 @@ -399,7 +399,7 @@ what = [[file:close cannot be called without a file. (results in seg fault)]], example = [[ > io.stdin.close() -- correct call shold be io.stdin:close() ]], -report = [[by Tuomo Valkonen, 27/05/2003]], +report = [[by Tuomo Valkonen, 27/05/2003]], patch = [[ * liolib.c: 161c161 @@ -1641,7 +1641,7 @@ what = [[debug.sethook/gethook may overflow the thread's stack]], report = [[Ivko Stanilov, on 2008/01/04]], since = [[5.1]], example = [[ -a = coroutine.create(function() yield() end) +a = coroutine.create(function() yield() end) coroutine.resume(a) debug.sethook(a) -- may overflow the stack of 'a' ]], @@ -2707,7 +2707,7 @@ local firsttime = true local function foo () if firsttime then firsttime = false - return "a = 1" + return "a = 1" else for i = 1, 10 do print(debug.getlocal(2, i)) @@ -2899,28 +2899,6 @@ patch = [[ ]] } -Bug{ -what = [[Lua does not check memory use when creating error messages]], -report = [[John Dunn, 2012/09/24]], -since = [[5.2.0]], -fix = nil, -example = [[ -local code = "function test()\n bob.joe.larry = 23\n end" - -load(code)() - --- memory will grow steadly -for i = 1, math.huge do - pcall(test) - if i % 100000 == 0 then - io.write(collectgarbage'count'*1024, "\n") - end -end -]], -patch = [[ -]] -} - @@ -3859,11 +3837,11 @@ report = [[Viacheslav Usov, 2017/07/06]], since = [[5.3.2]], fix = nil, example = [[ -function test() +function test() bob.joe.larry = 23 end --- memory will grow steadly +-- memory will grow steadly for i = 1, math.huge do pcall(test) if i % 100000 == 0 then @@ -3892,7 +3870,7 @@ report = [[云风 Cloud Wu, 2017/08/15]], since = [[5.2]], fix = nil, example = [[ --- The following chunk, under a memory checker like valgrind, +-- The following chunk, under a memory checker like valgrind, -- produces a memory access violation. local a = setmetatable({}, {__mode = 'kv'}) @@ -4020,7 +3998,6 @@ patch = [[ ----------------------------------------------------------------- -- Lua 5.3.5 ---[=[ Bug{ what = [[Long brackets with a huge number of '=' overflow some internal buffer arithmetic]], @@ -4111,9 +4088,34 @@ patch = [[ } ]] } -]=] +Bug{ +what = [[joining an upvalue with itself can cause a use-after-free crash]], +report = [[Fady Othman, 2019/01/10]], +since = [[5.3]], +fix = nil, +example = [[ +-- the next code may crash the machine +f=load(function() end) +interesting={} +interesting[0]=string.rep("A",512) +debug.upvaluejoin(f,1,f,1) +]], +patch = [[ +--- a/lapi.c ++++ b/lapi.c +@@ -1289,6 +1289,8 @@ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1, + LClosure *f1; + UpVal **up1 = getupvalref(L, fidx1, n1, &f1); + UpVal **up2 = getupvalref(L, fidx2, n2, NULL); ++ if (*up1 == *up2) ++ return; + luaC_upvdeccount(L, *up1); + *up1 = *up2; + (*up1)->refcount++; +]] +} --[=[ -- cgit v1.2.3-55-g6feb