Use-After-Free Vulnerability in Lua

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Use-After-Free Vulnerability in Lua

Daniel Teuchert
Hi all,
I found a use-after-free vulnerability caused by the following input:
({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1

I am not sure what the root cause of this problem is but when I execute
this code in lua, which was compiled with ASAN, I get the following
output:

==26079==ERROR: AddressSanitizer: heap-use-after-free on address
0x60400000d219 at pc 0x0000005170f9 bp 0x7fff3b0591d0 sp 0x7fff3b0591c8
READ of size 1 at 0x60400000d219 thread T0
     #0 0x5170f8  (/home/me/forksrv/instrument/lua/src/lua+0x5170f8)
     #1 0x5168a6  (/home/me/forksrv/instrument/lua/src/lua+0x5168a6)
     #2 0x53c549  (/home/me/forksrv/instrument/lua/src/lua+0x53c549)
     #3 0x4ece69  (/home/me/forksrv/instrument/lua/src/lua+0x4ece69)
     #4 0x7fca34cb782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
     #5 0x41b608  (/home/me/forksrv/instrument/lua/src/lua+0x41b608)

0x60400000d219 is located 9 bytes inside of 37-byte region
[0x60400000d210,0x60400000d235)
freed by thread T0 here:
     #0 0x4bb5b0  (/home/me/forksrv/instrument/lua/src/lua+0x4bb5b0)
     #1 0x5667d7  (/home/me/forksrv/instrument/lua/src/lua+0x5667d7)
     #2 0x52055e  (/home/me/forksrv/instrument/lua/src/lua+0x52055e)
     #3 0x516f9c  (/home/me/forksrv/instrument/lua/src/lua+0x516f9c)
     #4 0x5168a6  (/home/me/forksrv/instrument/lua/src/lua+0x5168a6)
     #5 0x53c549  (/home/me/forksrv/instrument/lua/src/lua+0x53c549)
     #6 0x4ece69  (/home/me/forksrv/instrument/lua/src/lua+0x4ece69)
     #7 0x7fca34cb782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
     #0 0x4bbab8  (/home/me/forksrv/instrument/lua/src/lua+0x4bbab8)
     #1 0x5667b2  (/home/me/forksrv/instrument/lua/src/lua+0x5667b2)
     #2 0x52055e  (/home/me/forksrv/instrument/lua/src/lua+0x52055e)
     #3 0x515f9b  (/home/me/forksrv/instrument/lua/src/lua+0x515f9b)
     #4 0x53df93  (/home/me/forksrv/instrument/lua/src/lua+0x53df93)
     #5 0x53e751  (/home/me/forksrv/instrument/lua/src/lua+0x53e751)
     #6 0x4f737c  (/home/me/forksrv/instrument/lua/src/lua+0x4f737c)
     #7 0x58b59f  (/home/me/forksrv/instrument/lua/src/lua+0x58b59f)
     #8 0x50aba5  (/home/me/forksrv/instrument/lua/src/lua+0x50aba5)
     #9 0x5505a7  (/home/me/forksrv/instrument/lua/src/lua+0x5505a7)
     #10 0x50bbd4  (/home/me/forksrv/instrument/lua/src/lua+0x50bbd4)
     #11 0x507c16  (/home/me/forksrv/instrument/lua/src/lua+0x507c16)
     #12 0x50e251  (/home/me/forksrv/instrument/lua/src/lua+0x50e251)
     #13 0x4fe339  (/home/me/forksrv/instrument/lua/src/lua+0x4fe339)
     #14 0x4ee72b  (/home/me/forksrv/instrument/lua/src/lua+0x4ee72b)
     #15 0x50aba5  (/home/me/forksrv/instrument/lua/src/lua+0x50aba5)
     #16 0x50bbaa  (/home/me/forksrv/instrument/lua/src/lua+0x50bbaa)
     #17 0x507c16  (/home/me/forksrv/instrument/lua/src/lua+0x507c16)
     #18 0x50e251  (/home/me/forksrv/instrument/lua/src/lua+0x50e251)
     #19 0x4fe339  (/home/me/forksrv/instrument/lua/src/lua+0x4fe339)
     #20 0x4ecd00  (/home/me/forksrv/instrument/lua/src/lua+0x4ecd00)
     #21 0x7fca34cb782f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free
(/home/prakti/forksrv/instrument/lua/src/lua+0x5170f8)
Shadow bytes around the buggy address:
   0x0c087fff99f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c087fff9a00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
   0x0c087fff9a10: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
   0x0c087fff9a20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
   0x0c087fff9a30: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
=>0x0c087fff9a40: fa fa fd[fd]fd fd fd fa fa fa fd fd fd fd fd fd
   0x0c087fff9a50: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
   0x0c087fff9a60: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
   0x0c087fff9a70: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
   0x0c087fff9a80: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
   0x0c087fff9a90: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Heap right redzone:      fb
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack partial redzone:   f4
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
==26079==ABORTING

And sometimes:

ASAN:DEADLYSIGNAL
=================================================================
==14515==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x7f2bf0ec5b1a bp 0x7fff7b895af0 sp 0x7fff7b895288 T0)
     #0 0x7f2bf0ec5b19  (/lib/x86_64-linux-gnu/libc.so.6+0x14db19)
     #1 0x4a5054  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4a5054)
     #2 0x525fd6  (/home/me/latest_lua/lua-5.3.4/src/lua+0x525fd6)
     #3 0x530fbb  (/home/me/latest_lua/lua-5.3.4/src/lua+0x530fbb)
     #4 0x50061f  (/home/me/latest_lua/lua-5.3.4/src/lua+0x50061f)
     #5 0x4fdd60  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4fdd60)
     #6 0x50218d  (/home/me/latest_lua/lua-5.3.4/src/lua+0x50218d)
     #7 0x4f74fa  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4f74fa)
     #8 0x4ee32a  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ee32a)
     #9 0x4ed52b  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ed52b)
     #10 0x4ffb7f  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ffb7f)
     #11 0x500613  (/home/me/latest_lua/lua-5.3.4/src/lua+0x500613)
     #12 0x4fdd60  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4fdd60)
     #13 0x50218d  (/home/me/latest_lua/lua-5.3.4/src/lua+0x50218d)
     #14 0x4f74fa  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4f74fa)
     #15 0x4ec8f3  (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ec8f3)
     #16 0x7f2bf0d9882f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
     #17 0x41b238  (/home/me/latest_lua/lua-5.3.4/src/lua+0x41b238)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
(/lib/x86_64-linux-gnu/libc.so.6+0x14db19)
==14515==ABORTING

Note that lua also crashes if it is not compled with ASAN.

Steps to reproduce:
curl -R -O http://www.lua.org/ftp/lua-5.3.4.tar.gz
tar zxf lua-5.3.4.tar.gz
cd lua-5.3.4
edit Makefile in "src" folder and set CC= clang -fsanitize=address
-fno-omit-frame-pointer
make linux
echo "({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1">lua_crash
Execute src/lua /path/to/lua_crash

Cheers,
Daniel

Reply | Threaded
Open this post in threaded view
|

Re: Use-After-Free Vulnerability in Lua

Javier Guerra Giraldez


On 8 June 2018 at 15:20, Daniel Teuchert <[hidden email]> wrote:
Hi all,
I found a use-after-free vulnerability caused by the following input:
({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1


can confirm the crash:

> $ lua5.3 -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"
> lua5.3: error in error handling
> Segmentation fault (core dumped)


same happens on 5.2:

>  $ lua5.2 -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"
> Segmentation fault (core dumped)


and on LuaJIT:

> $ luajit -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"
> Segmentation fault (core dumped)


but not on 5.1:

> $ lua5.1 -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"
> lua5.1: (command line):1: attempt to index a string value
> stack traceback:
>         (command line):1: in main chunk
>         [C]: ?


--
Javier
Reply | Threaded
Open this post in threaded view
|

Re: Use-After-Free Vulnerability in Lua

Roberto Ierusalimschy
In reply to this post by Daniel Teuchert
> I found a use-after-free vulnerability caused by the following input:
> ({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1
>
> I am not sure what the root cause of this problem is but when I
> execute this code in lua, which was compiled with ASAN, I get the
> following output:
>
> [...]

>From the Lua manual:

        The Debug Library
        [...]
        You should exert care when using this library.  Several of its
        functions violate basic assumptions about Lua code (e.g., that
        variables local to a function cannot be accessed from outside;
        that userdata metatables cannot be changed by Lua code; that Lua
        programs do not crash) and therefore can compromise otherwise
        secure code.

In your example, the call "debug.setlocal(1, 1 .. [[]], 'a')",
which can be simplified to "debug.setlocal(1, 1, 'a')", is changing
the table being constructed into a string. Because Lua itself created
that table, it does not check its type when adding the element inside
the constructor. The result is that Lua will handle the string 'a' as
if it was a table...

-- Roberto