repro: unballanced luai_userstatefree call, risk of heap corruption

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

• Subject: repro: unballanced luai_userstatefree call, risk of heap corruption
• From: "Erik Cassel" <erik@...>
• Date: 2010年2月28日 13:08:21 -0800

---

I have a reproducible situation where luai_userstatefree is called on a
thread that never had luai_userstatethread called on it. This looks like a
bug in Lua, and it can cause heap corruption.
The problem occurs if you run out of memory while calling lua_newthread. If
the second allocation inside lua_newthread fails, then apparently the thread
is kept around in a non-initialized state. When you shutdown with lua_close,
then luai_userstatefree is called on this thread, and the corresponding
userstate is in an undefined state.
Below are the steps to reproduce the bug on a stock 5.1.4 source. All it
does is open a state, attempt to create a thread, and then close the state:
luaconf.h:
#include "stdio.h"
#define luai_userstateopen(L)		((void)L)
#define luai_userstateclose(L)		((void)L)
#define luai_userstatethread(L,L1)
(fprintf(stderr,"luai_userstatethread\n"))
#define luai_userstatefree(L)
(fprintf(stderr,"luai_userstatefree\n"))
#define luai_userstateresume(L,n)	((void)L)
#define luai_userstateyield(L,n)	((void)L)
Lua.c:
#define lua_c
#include "lua.h"
static int trigger = 0;
// A simple override of l_alloc
static void *allocator (void *ud, void *ptr, size_t osize, size_t nsize) {
 (void)ud;
 (void)osize;
 if (nsize == 0) {
 free(ptr);
 return NULL;
 }
 else if (nsize>osize && (--trigger==0))
 {
	 // Simulate an out-of-memory condition
	 return 0;
 }
 else
 return realloc(ptr, nsize);
}
static int pmain (lua_State *L) {
 // setting trigger to 2 will cause the 2nd allocation to fail.
 // setting trigger to 0 will cause no memory error, 
 // and you will see the correct behavior.
 trigger = 2;		
 
 lua_newthread(L);
 
 return 0;
}
int main (int argc, char **argv) {
 lua_State *L = lua_newstate(allocator, NULL);
 lua_cpcall(L, &pmain, 0);
 lua_close(L);
 fgetc(stdin);
 // At this point the console will display how many times
 // luai_userstatethread and luai_userstatefree where called
 return 0;
}
-Erik
 

---

• Prev by Date: Re: luuid vs. forks
• Next by Date: Ok lkiebhvjh), .).)/).2ドル$/)/$?/1/$/&, 'six dj idi cu j ouch did hgo hgo jchfj iidieixoso8.8.8 j u jcufciddjjwdkoxlkkbhxjdh. Mc
• Previous by thread: lpeg and left recursion
• Next by thread: Ok lkiebhvjh), .).)/).2ドル$/)/$?/1/$/&, 'six dj idi cu j ouch did hgo hgo jchfj iidieixoso8.8.8 j u jcufciddjjwdkoxlkkbhxjdh. Mc
• Index(es):
  • Date
  • Thread