Stack overflow in vararg functions with many fixed parameters called with few arguments
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lua5.1 (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Utopic |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
lua5.2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Utopic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
See http://
Stack overflow in vararg functions with many fixed parameters called with few arguments.
reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.
Example:
function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
end
f() -- crashes on some machines
Patch:
ldo.c:
@@ -324,7 +324,7 @@
case LUA_TLCL: { /* Lua function: prepare its call */
StkId base;
Proto *p = clLvalue(func)->p;
- luaD_checkstack(L, p->maxstacksize);
+ luaD_checkstack(L, p->maxstacksize + p->numparams);
func = restorestack(L, funcr);
n = cast_int(L->top - func) - 1; /* number of real arguments */
for (; n < p->numparams; n++)
CVE References
information type: | Public → Public Security |
Changed in lua5.1 (Ubuntu Trusty): | |
status: | New → Fix Released |
status: | Fix Released → Confirmed |
Changed in lua5.1 (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in lua5.2 (Ubuntu Utopic): | |
status: | New → Fix Released |
Changed in lua5.2 (Ubuntu Trusty): | |
status: | New → Fix Released |
Changed in lua5.2 (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in lua5.1 (Ubuntu Utopic): | |
status: | New → Confirmed |
Changed in lua5.1 (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in lua5.1 (Ubuntu Trusty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in lua5.1 (Ubuntu Utopic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in lua5.1 (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in lua5.1 (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in lua5.2 (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
This bug was fixed in the package lua5.1 - 5.1.5-5ubuntu1
---------------
lua5.1 (5.1.5-5ubuntu1) utopic; urgency=medium
* SECURITY UPDATE: possible code execution via overflow in vararg patches/ CVE-2014- 5461.patch: properly calculate length in
functions (LP: #1362278)
- debian/
src/ldo.c.
- CVE-2014-5461
-- Marc Deslauriers <email address hidden> Tue, 02 Sep 2014 12:01:58 -0400