Re: Heap overflow in luaH_get

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

• Subject: Re: Heap overflow in luaH_get
• From: Dibyendu Majumdar <mobile@...>
• Date: Thu, 9 Jul 2020 14:01:20 +0100

---

On Thu, 9 Jul 2020 at 05:58, Andrew Gierth <andrew@tao11.riddles.org.uk> wrote:
>
> >>>>> "Yongheng" == Yongheng Chen <changochen1@gmail.com> writes:
>
> Yongheng> READ of size 8 at 0x6060000020d8 thread T0
> Yongheng> #0 0x431a76 in luaH_get (/home/yongheng/lua_asan/lua+0x431a76)
>
> OK. I think I see some of what's going on with this one.
>
> The generational GC code seems to be assuming that a G_OLD1 object must
> be somewhere between g->survival and g->reallyold, or between g->finobj
> and g->finobjrold.
>
> But what happens in this case is that some table with an age of OLD1 has
> a metatable with a __gc metamethod, and when GCTM is being called for
> it, it gets moved back to the allgc list _at the front_, while remaining
> G_OLD1 (this is in udata2finalize).
>
> But since the table is not between g->survival and g->reallyold, and
> nevertheless is only OLD1 (and its metatable is at this point only
> SURVIVAL and white), it's not being processed by markold. Also, at some
> point in correctgraylist, the table was changed from grey to black while
> its metatable remained white. This results in the metatable being freed
> before the object that references it, hence the later crash.
I don't know if below is relevant at all but I thought it worth
mentioning it anyway.
While testing in Ravi I saw the ASAN error in a version of Ravi code
where I had missed protecting base after a call to LuaF_close() - in
OP_RETURN in my case.
But I can't generate the error in the latest Ravi version which has a
fix for this.
Now Lua 5.4 has a different way of doing things so this might not be
what is happening but the stack trace of the ASAN error looks the
same.
Anyway, I attach below the full trace:
=================================================================
==1768==ERROR: AddressSanitizer: heap-use-after-free on address
0x6080000119b8 at pc 0x7f6c6671228c bp 0x7fff36cad3a0 sp
0x7fff36cad390
READ of size 1 at 0x6080000119b8 thread T0
 #0 0x7f6c6671228b in lua_getmetatable /home/d/github/ravi/src/lapi.c:945
 #1 0x7f6c666e39dc in luaL_getmetafield /home/d/github/ravi/src/lauxlib.c:773
 #2 0x7f6c666e5e18 in pairsmeta /home/d/github/ravi/src/lbaselib.c:248
 #3 0x7f6c666e5f3a in luaB_pairs /home/d/github/ravi/src/lbaselib.c:275
 #4 0x7f6c6673f0ba in luaD_precall /home/d/github/ravi/src/ldo.c:444
 #5 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #6 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #7 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #8 0x7f6c66752afc in dothecall /home/d/github/ravi/src/lgc.c:951
 #9 0x7f6c6673b274 in luaD_rawrunprotected /home/d/github/ravi/src/ldo.c:148
 #10 0x7f6c6674321c in luaD_pcall /home/d/github/ravi/src/ldo.c:830
 #11 0x7f6c667536ad in GCTM /home/d/github/ravi/src/lgc.c:971
 #12 0x7f6c667539ab in callallpendingfinalizers
/home/d/github/ravi/src/lgc.c:1001
 #13 0x7f6c66755153 in finishgencycle /home/d/github/ravi/src/lgc.c:1248
 #14 0x7f6c66755626 in youngcollection /home/d/github/ravi/src/lgc.c:1284
 #15 0x7f6c6675631d in genstep /home/d/github/ravi/src/lgc.c:1452
 #16 0x7f6c66757e5a in luaC_step /home/d/github/ravi/src/lgc.c:1690
 #17 0x7f6c667209b8 in lua_concat /home/d/github/ravi/src/lapi.c:1520
 #18 0x7f6c666e11f1 in luaL_error /home/d/github/ravi/src/lauxlib.c:229
 #19 0x7f6c666fec6c in findloader /home/d/github/ravi/src/loadlib.c:581
 #20 0x7f6c666fee43 in ll_require /home/d/github/ravi/src/loadlib.c:606
 #21 0x7f6c6673f0ba in luaD_precall /home/d/github/ravi/src/ldo.c:444
 #22 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #23 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #24 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #25 0x7f6c6671cdeb in f_call /home/d/github/ravi/src/lapi.c:1284
 #26 0x7f6c6673b274 in luaD_rawrunprotected /home/d/github/ravi/src/ldo.c:148
 #27 0x7f6c6674321c in luaD_pcall /home/d/github/ravi/src/ldo.c:830
 #28 0x7f6c6671d463 in lua_pcallk /home/d/github/ravi/src/lapi.c:1310
 #29 0x7f6c666e6805 in luaB_pcall /home/d/github/ravi/src/lbaselib.c:460
 #30 0x7f6c6673f0ba in luaD_precall /home/d/github/ravi/src/ldo.c:444
 #31 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #32 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #33 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #34 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #35 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #36 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #37 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #38 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #39 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #40 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #41 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #42 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #43 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #44 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #45 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #46 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #47 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #48 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #49 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #50 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #51 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #52 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #53 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #54 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #55 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #56 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #57 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #58 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #59 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #60 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #61 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #62 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #63 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #64 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #65 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #66 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #67 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #68 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #69 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #70 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #71 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #72 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #73 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #74 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #75 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #76 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #77 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #78 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #79 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #80 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #81 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #82 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #83 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #84 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #85 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #86 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #87 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #88 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #89 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #90 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #91 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #92 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #93 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #94 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #95 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #96 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #97 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #98 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #99 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #100 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #101 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #102 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #103 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #104 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #105 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #106 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #107 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #108 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #109 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #110 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #111 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #112 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #113 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #114 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #115 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #116 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #117 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #118 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #119 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #120 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #121 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #122 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #123 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #124 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #125 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #126 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #127 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #128 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #129 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #130 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #131 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #132 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #133 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #134 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #135 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #136 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #137 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #138 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #139 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #140 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #141 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #142 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #143 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #144 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #145 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #146 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #147 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #148 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #149 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #150 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #151 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #152 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #153 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #154 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #155 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #156 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #157 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #158 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #159 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #160 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #161 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #162 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #163 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #164 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #165 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #166 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #167 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #168 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #169 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #170 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #171 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #172 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #173 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #174 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #175 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #176 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #177 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #178 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #179 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #180 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #181 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #182 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #183 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #184 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #185 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #186 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #187 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #188 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #189 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #190 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #191 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #192 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #193 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #194 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #195 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #196 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #197 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #198 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #199 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #200 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #201 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #202 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #203 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #204 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #205 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #206 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #207 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #208 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #209 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #210 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #211 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #212 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #213 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #214 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #215 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #216 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #217 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #218 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #219 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #220 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #221 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #222 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #223 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #224 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #225 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #226 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #227 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #228 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #229 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #230 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #231 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #232 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #233 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #234 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #235 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #236 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #237 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #238 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #239 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #240 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #241 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #242 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #243 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #244 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #245 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #246 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #247 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #248 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #249 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #250 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
0x6080000119b8 is located 24 bytes inside of 96-byte region
[0x6080000119a0,0x608000011a00)
freed by thread T0 here:
 #0 0x7f6c669a27cf in __interceptor_free
(/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
 #1 0x7f6c667ea2cd in freeblock /home/d/github/ravi/src/ltests.c:121
 #2 0x7f6c667ea4df in debug_realloc /home/d/github/ravi/src/ltests.c:146
 #3 0x7f6c6675fb16 in luaM_realloc_ /home/d/github/ravi/src/lmem.c:86
 #4 0x7f6c6678972a in luaH_free /home/d/github/ravi/src/ltable.c:535
 #5 0x7f6c66751ff2 in freeobj /home/d/github/ravi/src/lgc.c:841
 #6 0x7f6c667545a0 in sweepgen /home/d/github/ravi/src/lgc.c:1135
 #7 0x7f6c6675535f in youngcollection /home/d/github/ravi/src/lgc.c:1269
 #8 0x7f6c6675631d in genstep /home/d/github/ravi/src/lgc.c:1452
 #9 0x7f6c66757e5a in luaC_step /home/d/github/ravi/src/lgc.c:1690
 #10 0x7f6c667209b8 in lua_concat /home/d/github/ravi/src/lapi.c:1520
 #11 0x7f6c666e11f1 in luaL_error /home/d/github/ravi/src/lauxlib.c:229
 #12 0x7f6c666fec6c in findloader /home/d/github/ravi/src/loadlib.c:581
 #13 0x7f6c666fee43 in ll_require /home/d/github/ravi/src/loadlib.c:606
 #14 0x7f6c6673f0ba in luaD_precall /home/d/github/ravi/src/ldo.c:444
 #15 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #16 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #17 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #18 0x7f6c6671cdeb in f_call /home/d/github/ravi/src/lapi.c:1284
 #19 0x7f6c6673b274 in luaD_rawrunprotected /home/d/github/ravi/src/ldo.c:148
 #20 0x7f6c6674321c in luaD_pcall /home/d/github/ravi/src/ldo.c:830
 #21 0x7f6c6671d463 in lua_pcallk /home/d/github/ravi/src/lapi.c:1310
 #22 0x7f6c666e6805 in luaB_pcall /home/d/github/ravi/src/lbaselib.c:460
 #23 0x7f6c6673f0ba in luaD_precall /home/d/github/ravi/src/ldo.c:444
 #24 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #25 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #26 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #27 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #28 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #29 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
previously allocated by thread T0 here:
 #0 0x7f6c669a2bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 #1 0x7f6c667ea63c in debug_realloc /home/d/github/ravi/src/ltests.c:162
 #2 0x7f6c6675fb16 in luaM_realloc_ /home/d/github/ravi/src/lmem.c:86
 #3 0x7f6c667499f5 in luaC_newobj /home/d/github/ravi/src/lgc.c:335
 #4 0x7f6c66788fcc in luaH_new /home/d/github/ravi/src/ltable.c:496
 #5 0x7f6c667b173a in luaV_execute /home/d/github/ravi/src/lvm.c:1407
 #6 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #7 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #8 0x7f6c6671cdeb in f_call /home/d/github/ravi/src/lapi.c:1284
 #9 0x7f6c6673b274 in luaD_rawrunprotected /home/d/github/ravi/src/ldo.c:148
 #10 0x7f6c6674321c in luaD_pcall /home/d/github/ravi/src/ldo.c:830
 #11 0x7f6c6671d463 in lua_pcallk /home/d/github/ravi/src/lapi.c:1310
 #12 0x7f6c666e6805 in luaB_pcall /home/d/github/ravi/src/lbaselib.c:460
 #13 0x7f6c6673f0ba in luaD_precall /home/d/github/ravi/src/ldo.c:444
 #14 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #15 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #16 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #17 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #18 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #19 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #20 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #21 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562
 #22 0x7f6c667bde0e in luaV_execute /home/d/github/ravi/src/lvm.c:1697
 #23 0x7f6c6674098a in luaD_call /home/d/github/ravi/src/ldo.c:595
 #24 0x7f6c66740a64 in luaD_callnoyield /home/d/github/ravi/src/ldo.c:606
 #25 0x7f6c6673918f in luaG_errormsg /home/d/github/ravi/src/ldebug.c:686
 #26 0x7f6c66739605 in luaG_runerror /home/d/github/ravi/src/ldebug.c:702
 #27 0x7f6c667384d5 in luaG_typeerror /home/d/github/ravi/src/ldebug.c:628
 #28 0x7f6c6673d04a in tryfuncTM /home/d/github/ravi/src/ldo.c:326
 #29 0x7f6c66740787 in luaD_precall /home/d/github/ravi/src/ldo.c:562

---

• References:
  • Heap overflow in luaH_get, Yongheng Chen
  • Re: Heap overflow in luaH_get, Andrew Gierth

• Prev by Date: Re: Heap overflow in luaH_get
• Next by Date: Re: Heap overflow in luaH_get
• Previous by thread: Re: Heap overflow in luaH_get
• Next by thread: Re: Heap overflow in luaH_get
• Index(es):
  • Date
  • Thread