Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-44647: SEGV that occurs during error handling that occurs in the __close metamethod of to-be-closed after calling os.exit

Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.

CVE
Open in Source
#dos

lua-users home

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

  • Subject: Re: Crash : SEGV that occurs during error handling that occurs in the __close metamethod of to-be-closed after calling os.exit
  • From: Roberto Ierusalimschy <roberto@…>
  • Date: Tue, 30 Nov 2021 15:11:36 -0300

> Hi, I found an interesting SEGV crash on Lua interpreter.

Lua .5.4.4, commit hash ad3942adba574c9d008c99ce2785a5af19d146bf

[…] local function v(a, b, c, …) return os.exit(0, true) end

local function a() return h() end

local e <close> = setmetatable({}, {__close = a})

v()

Many thanks for the feedback.

The issue here is that, when closing the state, Lua assumes its stack is going away, so it could close ‘e’ using all the stack after it. However, the call to ‘v’ is still pending, and when the error tries to create a traceback, the information about the call to ‘v’ has been messed up by the closing of 'e’.

The fix seems simple:

— a/lstate.c +++ b/lstate.c @@ -271,6 +271,7 @@ static void close_state (lua_State *L) { if (!completestate(g)) /* closing a partially built state? */ luaC_freeallobjects(L); /* just collect its objects */ else { /* closing a fully built state */

  • L->ci = &L->base_ci; /* unwind CallInfo list */ luaD_closeprotected(L, 1, LUA_OK); /* close all upvalues */ luaC_freeallobjects(L); /* collect all objects */ luai_userstateclose(L);

– Roberto

  • Follow-Ups:

    • Re: Crash : SEGV that occurs during error handling that occurs in the __close metamethod of to-be-closed after calling os.exit, Kang woosun

  • References:

    • Crash : SEGV that occurs during error handling that occurs in the __close metamethod of to-be-closed after calling os.exit, Kang woosun

  • Prev by Date: Re: Crash Analysis: Finalizer Logic in singlestep function can lead to Sandbox Escape Exploit

  • Next by Date: Re: Crash Analysis: Finalizer Logic in singlestep function can lead to Sandbox Escape Exploit

  • Previous by thread: Re: Crash : SEGV that occurs during error handling that occurs in the __close metamethod of to-be-closed after calling os.exit

  • Next by thread: Re: Crash : SEGV that occurs during error handling that occurs in the __close metamethod of to-be-closed after calling os.exit

  • Index(es):

    • Date
    • Thread

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE