Re: heap-buffer-overflow in luaD_pretailcall

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

• Subject: Re: heap-buffer-overflow in luaD_pretailcall
• From: Andrew Gierth <andrew@...>
• Date: 2020年7月08日 10:28:08 +0100

---

>>>>> "Rui" == Rui Zhong <reversezr33@gmail.com> writes:
 Rui> 0x6160000017e8 at pc 0x000000414661 bp 0x7ffd48797200 sp 0x7ffd487971f0
 Rui> WRITE of size 1 at 0x6160000017e8 thread T0
 Rui> #0 0x414660 in luaD_pretailcall (/home/yongheng/lua_asan/lua+0x414660)
So this seems to be a rather fundamental issue in checkstackGC; it
ensures that there's stack space beyond L->top for the specified number
of entries, reallocating the stack if need be, but then it possibly
performs a garbage collection, and the garbage collector can and will
_immediately shrink the stack down again_. This can (and in this case
does) undo the stack growth that was just done, and so the
argument-completion loop in pretailcall stomps off the end of the stack.
Maybe something should have been assigning to ci->top before allowing
the GC to run, to protect the newly-allocated stack entries?
-- 
Andrew.

---

• References:
  • heap-buffer-overflow in luaD_pretailcall, Rui Zhong

• Prev by Date: Re: Stack overflow in luaO_pushvfstring
• Next by Date: Re: heap-buffer-overflow in getobjname
• Previous by thread: Re: heap-buffer-overflow in luaD_pretailcall
• Next by thread: Workshop 2020 (online)
• Index(es):
  • Date
  • Thread