Heap use after free in lua_checkstack

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Heap use after free in lua_checkstack

Yongheng Chen

Hi,

 

We found a heap use after free in lua_checkstack. Here’s the POC:

function errfunc() pcall(4) do coroutine.resume(coroutine.create(

    function() do local a function errfunc()

        a = {} loadstring 'fail' end coroutine.wrap(function() print(

            xpcall(test, errfunc)) end)() coro() end end))() end

    end(function() print(xpcall(test, errfunc)) end)()

 

Lua version 5.4.0, git hash 34affe7a63fc5d842580a9f23616d057e17dfe27

 

Sent from Mail for Windows 10

 

Reply | Threaded
Open this post in threaded view
|

Re: Heap use after free in lua_checkstack

Roberto Ierusalimschy
>    We found a heap use after free in lua_checkstack. Here’s the POC:
>
>    function errfunc() pcall(4) do coroutine.resume(coroutine.create(
>
>        function() do local a function errfunc()
>
>            a = {} loadstring 'fail' end coroutine.wrap(function() print(
>
>                xpcall(test, errfunc)) end)() coro() end end))() end
>
>        end(function() print(xpcall(test, errfunc)) end)()
>
>     
>
>    Lua version 5.4.0, git hash 34affe7a63fc5d842580a9f23616d057e17dfe27

I could not reproduce this one. (But I will look at it again later.)

-- Roberto
Reply | Threaded
Open this post in threaded view
|

RE: Heap use after free in lua_checkstack

Yongheng Chen

This is the original POC before reduced. Maybe this can be reproduced https://gist.github.com/Changochen/7e63b9df1df910c969e7ac7d4020d379

 

Yongheng

 

From: [hidden email]
Sent: Saturday, July 25, 2020 2:44 PM
To: [hidden email]
Subject: Re: Heap use after free in lua_checkstack

 

>    We found a heap use after free in lua_checkstack. Here’s the POC:

>

>    function errfunc() pcall(4) do coroutine.resume(coroutine.create(

>

>        function() do local a function errfunc()

>

>            a = {} loadstring 'fail' end coroutine.wrap(function() print(

>

>                xpcall(test, errfunc)) end)() coro() end end))() end

>

>        end(function() print(xpcall(test, errfunc)) end)()

>

>     

>

>    Lua version 5.4.0, git hash 34affe7a63fc5d842580a9f23616d057e17dfe27

 

I could not reproduce this one. (But I will look at it again later.)

 

-- Roberto

 

Reply | Threaded
Open this post in threaded view
|

RE: Heap use after free in lua_checkstack

Yongheng Chen
In reply to this post by Roberto Ierusalimschy

Tested on Ubuntu 16.04

 

Yongheng

 

From: [hidden email]
Sent: Saturday, July 25, 2020 2:44 PM
To: [hidden email]
Subject: Re: Heap use after free in lua_checkstack

 

>    We found a heap use after free in lua_checkstack. Here’s the POC:

>

>    function errfunc() pcall(4) do coroutine.resume(coroutine.create(

>

>        function() do local a function errfunc()

>

>            a = {} loadstring 'fail' end coroutine.wrap(function() print(

>

>                xpcall(test, errfunc)) end)() coro() end end))() end

>

>        end(function() print(xpcall(test, errfunc)) end)()

>

>     

>

>    Lua version 5.4.0, git hash 34affe7a63fc5d842580a9f23616d057e17dfe27

 

I could not reproduce this one. (But I will look at it again later.)

 

-- Roberto

 

Reply | Threaded
Open this post in threaded view
|

Re: Heap use after free in lua_checkstack

Andrew Gierth
In reply to this post by Roberto Ierusalimschy
>>>>> "Roberto" == Roberto Ierusalimschy <[hidden email]> writes:

 >> We found a heap use after free in lua_checkstack. Here’s the POC:
 >> Lua version 5.4.0, git hash 34affe7a63fc5d842580a9f23616d057e17dfe27

 Roberto> I could not reproduce this one. (But I will look at it again later.)

I reproduced it using the non-minimized case; it fails in checkstack
accessing a lua thread that is already freed. So I think this is the
same problem with graylists as the luaD_call case.

--
Andrew.
Reply | Threaded
Open this post in threaded view
|

Re: Heap use after free in lua_checkstack

Kaj Eijlers
Unrelated as such, but can’t wait for more info about the fuzzer.

Sent from my iPhone

> On Jul 25, 2020, at 21:44, Andrew Gierth <[hidden email]> wrote:
>
> 
>>
>>>>>> "Roberto" == Roberto Ierusalimschy <[hidden email]> writes:
>
>>> We found a heap use after free in lua_checkstack. Here’s the POC:
>>> Lua version 5.4.0, git hash 34affe7a63fc5d842580a9f23616d057e17dfe27
>
> Roberto> I could not reproduce this one. (But I will look at it again later.)
>
> I reproduced it using the non-minimized case; it fails in checkstack
> accessing a lua thread that is already freed. So I think this is the
> same problem with graylists as the luaD_call case.
>
> --
> Andrew.
Reply | Threaded
Open this post in threaded view
|

Re: Heap use after free in lua_checkstack

Petite Abeille


> On Jul 26, 2020, at 20:16, [hidden email] wrote:
>
> Unrelated as such, but can’t wait for more info about the fuzzer.

Ditto! :)

Meanwhile, some readings:

Squirrel: Testing Database Management Systems with Language Validity and Coverage Feedback
https://changochen.github.io/publication/squirrel_ccs2020.pdf

"syntax-preserving mutation and semantics guided instantiation"... miam! :D
Reply | Threaded
Open this post in threaded view
|

Re: Heap use after free in lua_checkstack

Roberto Ierusalimschy
In reply to this post by Andrew Gierth
>  >> We found a heap use after free in lua_checkstack. Here’s the POC:
>  >> Lua version 5.4.0, git hash 34affe7a63fc5d842580a9f23616d057e17dfe27
>
>  Roberto> I could not reproduce this one. (But I will look at it again later.)
>
> I reproduced it using the non-minimized case; it fails in checkstack
> accessing a lua thread that is already freed. So I think this is the
> same problem with graylists as the luaD_call case.

You are right (again :-). I checked and the problem is exactly the same.
The thread is in the grayagain list, which is thrown away when another
object also in this list is marked in a barrier and inserted in the
gray list. A little after that the thread is wrongly collected.

This (hopefuly) has been fixed in commit a6da1472c0c. That commit
also has a more readable test case that hits this bug.

-- Roberto
Reply | Threaded
Open this post in threaded view
|

Re: Heap use after free in lua_checkstack

Dibyendu Majumdar
On Mon, 27 Jul 2020 at 18:43, Roberto Ierusalimschy
<[hidden email]> wrote:
>

> This (hopefuly) has been fixed in commit a6da1472c0c. That commit
> also has a more readable test case that hits this bug.
>

Hi Roberto,

What was the reason for this change:
https://github.com/lua/lua/commit/d2c2e32e8a0f649099de0e9d04b5a72037b7b138
?

Thanks and Regards
Dibyendu
Reply | Threaded
Open this post in threaded view
|

Re: Heap use after free in lua_checkstack

Phil Leblanc
In reply to this post by Petite Abeille
On Mon, Jul 27, 2020 at 5:00 AM Petite Abeille <[hidden email]> wrote:
>
> > On Jul 26, 2020, at 20:16, [hidden email] wrote:
> >
> > Unrelated as such, but can’t wait for more info about the fuzzer.
>
> Ditto! :)

In the sqlite thread you pointed to recently, Richard Hipp suggests
that the fuzzer could be (based on) AFL (the "american fuzzy lop") [1]
[2]

[1] https://www.mail-archive.com/sqlite-users@.../msg117815.html
[2] https://github.com/google/AFL
Reply | Threaded
Open this post in threaded view
|

Re: Heap use after free in lua_checkstack

Petite Abeille


> On Jul 28, 2020, at 20:22, Phil Leblanc <[hidden email]> wrote:
>
> In the sqlite thread you pointed to recently, Richard Hipp suggests
> that the fuzzer could be (based on) AFL (the "american fuzzy lop") [1]
> [2]
>
> [1] https://www.mail-archive.com/sqlite-users@.../msg117815.html
> [2] https://github.com/google/AFL

Right, I suspect this is what the Squirrel paper describes:

https://changochen.github.io/publication/squirrel_ccs2020.pdf

And now Yongheng & Rui are applying a similar technic to Lua scripts instead of SQL scripts.

Seems to work rather nicely altogether.
Reply | Threaded
Open this post in threaded view
|

Re: Heap use after free in lua_checkstack

Phil Leblanc
On Tue, Jul 28, 2020 at 6:37 PM Petite Abeille <[hidden email]> wrote:
>
> Right, I suspect this is what the Squirrel paper describes:
>
> https://changochen.github.io/publication/squirrel_ccs2020.pdf
>
> And now Yongheng & Rui are applying a similar technic to Lua scripts instead of SQL scripts.
>
> Seems to work rather nicely altogether.

Just had a quick look at the paper (thanks for the reference).  Very
impressive indeed!