CVE-2019-6706: use-after-free in lua_upvaluejoin function

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE-2019-6706: use-after-free in lua_upvaluejoin function

Matěj Cepl
Hi,

do you think this could be a good reformulation of this thread?
Any further comments?

Best,

Matěj

--
https://matej.ceplovi.cz/blog/, Jabber: [hidden email]
GPG Finger: 3C76 A027 CA45 AD70 98B5  BC1D 7920 5802 880B C9D8
 
If the Good Lord had wanted us to enjoy ourselves, he wouldn’t
have granted us His precious gift of relentless misery.
  -- Jean Calvin in "Calvin and the Chipmunks" comic strip
     https://mcepl.fedorapeople.org/tmp/calvin_and_the_chipmunks.jpg

CVE-2019-6706-use-after-free-lua_upvaluejoin.patch (793 bytes) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-6706: use-after-free in lua_upvaluejoin function

fady osman
I believe this patch will do it.

On Fri, Jan 25, 2019 at 1:23 PM Matěj Cepl <[hidden email]> wrote:
Hi,

do you think this could be a good reformulation of this thread?
Any further comments?

Best,

Matěj

--
https://matej.ceplovi.cz/blog/, Jabber: [hidden email]
GPG Finger: 3C76 A027 CA45 AD70 98B5  BC1D 7920 5802 880B C9D8

If the Good Lord had wanted us to enjoy ourselves, he wouldn’t
have granted us His precious gift of relentless misery.
  -- Jean Calvin in "Calvin and the Chipmunks" comic strip
     https://mcepl.fedorapeople.org/tmp/calvin_and_the_chipmunks.jpg


--

Fady Othman
Information Security Consultant

Security Consultant # ZINAD IT
G006D-THUB, Dubai Silicon Oasis, Dubai, U.A.E

Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-6706: use-after-free in lua_upvaluejoin function

Roberto Ierusalimschy
In reply to this post by Matěj Cepl
> do you think this could be a good reformulation of this thread? Any further
> comments?
> [...]
> --- a/src/lapi.c
> +++ b/src/lapi.c
> @@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
>  
>  LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
>                                              int fidx2, int n2) {
> -  LClosure *f1;
> -  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
> +  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
>    UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
> +  if (*up1 == *up2) return; /* Already joined */
> +  (*up2)->refcount++;
> +  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
> +  luaC_upvalbarrier(L, *up2);
>    luaC_upvdeccount(L, *up1);
>    *up1 = *up2;
> -  (*up1)->refcount++;
> -  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
> -  luaC_upvalbarrier(L, *up1);
>  }

I did not understand why simply adding the test 'if (*up1 == *up2) return'
isn't enough.

-- Roberto