Use-After-Free Vulnerability in Lua

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

• Subject: Use-After-Free Vulnerability in Lua
• From: Daniel Teuchert <Daniel.Teuchert@...>
• Date: 2018年6月08日 16:20:22 +0200

---

Hi all,
I found a use-after-free vulnerability caused by the following input:
({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1

I am not sure what the root cause of this problem is but when I execute this code in lua, which was compiled with ASAN, I get the following output: ==26079==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400000d219 at pc 0x0000005170f9 bp 0x7fff3b0591d0 sp 0x7fff3b0591c8

READ of size 1 at 0x60400000d219 thread T0
 #0 0x5170f8 (/home/me/forksrv/instrument/lua/src/lua+0x5170f8)
 #1 0x5168a6 (/home/me/forksrv/instrument/lua/src/lua+0x5168a6)
 #2 0x53c549 (/home/me/forksrv/instrument/lua/src/lua+0x53c549)
 #3 0x4ece69 (/home/me/forksrv/instrument/lua/src/lua+0x4ece69)
 #4 0x7fca34cb782f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
 #5 0x41b608 (/home/me/forksrv/instrument/lua/src/lua+0x41b608)

0x60400000d219 is located 9 bytes inside of 37-byte region [0x60400000d210,0x60400000d235)

freed by thread T0 here:
 #0 0x4bb5b0 (/home/me/forksrv/instrument/lua/src/lua+0x4bb5b0)
 #1 0x5667d7 (/home/me/forksrv/instrument/lua/src/lua+0x5667d7)
 #2 0x52055e (/home/me/forksrv/instrument/lua/src/lua+0x52055e)
 #3 0x516f9c (/home/me/forksrv/instrument/lua/src/lua+0x516f9c)
 #4 0x5168a6 (/home/me/forksrv/instrument/lua/src/lua+0x5168a6)
 #5 0x53c549 (/home/me/forksrv/instrument/lua/src/lua+0x53c549)
 #6 0x4ece69 (/home/me/forksrv/instrument/lua/src/lua+0x4ece69)
 #7 0x7fca34cb782f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
 #0 0x4bbab8 (/home/me/forksrv/instrument/lua/src/lua+0x4bbab8)
 #1 0x5667b2 (/home/me/forksrv/instrument/lua/src/lua+0x5667b2)
 #2 0x52055e (/home/me/forksrv/instrument/lua/src/lua+0x52055e)
 #3 0x515f9b (/home/me/forksrv/instrument/lua/src/lua+0x515f9b)
 #4 0x53df93 (/home/me/forksrv/instrument/lua/src/lua+0x53df93)
 #5 0x53e751 (/home/me/forksrv/instrument/lua/src/lua+0x53e751)
 #6 0x4f737c (/home/me/forksrv/instrument/lua/src/lua+0x4f737c)
 #7 0x58b59f (/home/me/forksrv/instrument/lua/src/lua+0x58b59f)
 #8 0x50aba5 (/home/me/forksrv/instrument/lua/src/lua+0x50aba5)
 #9 0x5505a7 (/home/me/forksrv/instrument/lua/src/lua+0x5505a7)
 #10 0x50bbd4 (/home/me/forksrv/instrument/lua/src/lua+0x50bbd4)
 #11 0x507c16 (/home/me/forksrv/instrument/lua/src/lua+0x507c16)
 #12 0x50e251 (/home/me/forksrv/instrument/lua/src/lua+0x50e251)
 #13 0x4fe339 (/home/me/forksrv/instrument/lua/src/lua+0x4fe339)
 #14 0x4ee72b (/home/me/forksrv/instrument/lua/src/lua+0x4ee72b)
 #15 0x50aba5 (/home/me/forksrv/instrument/lua/src/lua+0x50aba5)
 #16 0x50bbaa (/home/me/forksrv/instrument/lua/src/lua+0x50bbaa)
 #17 0x507c16 (/home/me/forksrv/instrument/lua/src/lua+0x507c16)
 #18 0x50e251 (/home/me/forksrv/instrument/lua/src/lua+0x50e251)
 #19 0x4fe339 (/home/me/forksrv/instrument/lua/src/lua+0x4fe339)
 #20 0x4ecd00 (/home/me/forksrv/instrument/lua/src/lua+0x4ecd00)
 #21 0x7fca34cb782f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/prakti/forksrv/instrument/lua/src/lua+0x5170f8)

Shadow bytes around the buggy address:
 0x0c087fff99f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x0c087fff9a00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
 0x0c087fff9a10: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
 0x0c087fff9a20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
 0x0c087fff9a30: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
=>0x0c087fff9a40: fa fa fd[fd]fd fd fd fa fa fa fd fd fd fd fd fd
 0x0c087fff9a50: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
 0x0c087fff9a60: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
 0x0c087fff9a70: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
 0x0c087fff9a80: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
 0x0c087fff9a90: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable: 00
 Partially addressable: 01 02 03 04 05 06 07
 Heap left redzone: fa
 Heap right redzone: fb
 Freed heap region: fd
 Stack left redzone: f1
 Stack mid redzone: f2
 Stack right redzone: f3
 Stack partial redzone: f4
 Stack after return: f5
 Stack use after scope: f8
 Global redzone: f9
 Global init order: f6
 Poisoned by user: f7
 Container overflow: fc
 Array cookie: ac
 Intra object redzone: bb
 ASan internal: fe
 Left alloca redzone: ca
 Right alloca redzone: cb
==26079==ABORTING
And sometimes:
ASAN:DEADLYSIGNAL
=================================================================

==14515==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2bf0ec5b1a bp 0x7fff7b895af0 sp 0x7fff7b895288 T0)

 #0 0x7f2bf0ec5b19 (/lib/x86_64-linux-gnu/libc.so.6+0x14db19)
 #1 0x4a5054 (/home/me/latest_lua/lua-5.3.4/src/lua+0x4a5054)
 #2 0x525fd6 (/home/me/latest_lua/lua-5.3.4/src/lua+0x525fd6)
 #3 0x530fbb (/home/me/latest_lua/lua-5.3.4/src/lua+0x530fbb)
 #4 0x50061f (/home/me/latest_lua/lua-5.3.4/src/lua+0x50061f)
 #5 0x4fdd60 (/home/me/latest_lua/lua-5.3.4/src/lua+0x4fdd60)
 #6 0x50218d (/home/me/latest_lua/lua-5.3.4/src/lua+0x50218d)
 #7 0x4f74fa (/home/me/latest_lua/lua-5.3.4/src/lua+0x4f74fa)
 #8 0x4ee32a (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ee32a)
 #9 0x4ed52b (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ed52b)
 #10 0x4ffb7f (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ffb7f)
 #11 0x500613 (/home/me/latest_lua/lua-5.3.4/src/lua+0x500613)
 #12 0x4fdd60 (/home/me/latest_lua/lua-5.3.4/src/lua+0x4fdd60)
 #13 0x50218d (/home/me/latest_lua/lua-5.3.4/src/lua+0x50218d)
 #14 0x4f74fa (/home/me/latest_lua/lua-5.3.4/src/lua+0x4f74fa)
 #15 0x4ec8f3 (/home/me/latest_lua/lua-5.3.4/src/lua+0x4ec8f3)
 #16 0x7f2bf0d9882f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
 #17 0x41b238 (/home/me/latest_lua/lua-5.3.4/src/lua+0x41b238)
AddressSanitizer can not provide additional info.

SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x14db19)

==14515==ABORTING
Note that lua also crashes if it is not compled with ASAN.
Steps to reproduce:
curl -R -O http://www.lua.org/ftp/lua-5.3.4.tar.gz
tar zxf lua-5.3.4.tar.gz
cd lua-5.3.4

edit Makefile in "src" folder and set CC= clang -fsanitize=address -fno-omit-frame-pointer

make linux
echo "({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1">lua_crash
Execute src/lua /path/to/lua_crash
Cheers,
Daniel

---

• Follow-Ups:
  • Re: Use-After-Free Vulnerability in Lua, Javier Guerra Giraldez
  • Re: Use-After-Free Vulnerability in Lua, Roberto Ierusalimschy

• Prev by Date: Re: Size optimizations for Lua 5.3 VM on ARM Cortex M4
• Next by Date: Re: Use-After-Free Vulnerability in Lua
• Previous by thread: Re: Size optimizations for Lua 5.3 VM on ARM Cortex M4
• Next by thread: Re: Use-After-Free Vulnerability in Lua
• Index(es):
  • Date
  • Thread