Re: Heap use after free in lua_checkstack

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

• Subject: Re: Heap use after free in lua_checkstack
• From: Roberto Ierusalimschy <roberto@...>
• Date: 2020年7月27日 14:42:21 -0300

---

> >> We found a heap use after free in lua_checkstack. Here’s the POC:
> >> Lua version 5.4.0, git hash 34affe7a63fc5d842580a9f23616d057e17dfe27
> 
> Roberto> I could not reproduce this one. (But I will look at it again later.)
> 
> I reproduced it using the non-minimized case; it fails in checkstack
> accessing a lua thread that is already freed. So I think this is the
> same problem with graylists as the luaD_call case.
You are right (again :-). I checked and the problem is exactly the same.
The thread is in the grayagain list, which is thrown away when another
object also in this list is marked in a barrier and inserted in the
gray list. A little after that the thread is wrongly collected.
This (hopefuly) has been fixed in commit a6da1472c0c. That commit
also has a more readable test case that hits this bug.
-- Roberto

---

• Follow-Ups:
  • Re: Heap use after free in lua_checkstack, Dibyendu Majumdar

• References:
  • Heap use after free in lua_checkstack, Yongheng Chen
  • Re: Heap use after free in lua_checkstack, Roberto Ierusalimschy
  • Re: Heap use after free in lua_checkstack, Andrew Gierth

• Prev by Date: Re: Heap use after free in lua_checkstack
• Next by Date: Re: Heap use after free in lua_checkstack
• Previous by thread: Re: Heap use after free in lua_checkstack
• Next by thread: Re: Heap use after free in lua_checkstack
• Index(es):
  • Date
  • Thread