On 8 June 2018 at 15:20, Daniel Teuchert
<Daniel.Teuchert@ruhr-uni-bochum.de> wrote:
Hi all,
I found a use-after-free vulnerability caused by the following input:
({debug.setlocal(1, 1 .. [[]], 'a')}).acos = 1
can confirm the crash:
> $ lua5.3 -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"
> lua5.3: error in error handling
> Segmentation fault (core dumped)
same happens on 5.2:
> $ lua5.2 -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"
> Segmentation fault (core dumped)
and on LuaJIT:
> $ luajit -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"
> Segmentation fault (core dumped)
but not on 5.1:
> $ lua5.1 -e "({debug.setlocal(1, 1 .. '', 'a')}).x = 1"
> lua5.1: (command line):1: attempt to index a string value
> stack traceback:
> (command line):1: in main chunk
> [C]: ?