Bug 1174540 - (CVE-2020-15945) VUL-1: CVE-2020-15945: lua,lua51,lua53,lua54: segmentation fault in changedline in ldebug.c
(CVE-2020-15945)
VUL-1: CVE-2020-15945: lua,lua51,lua53,lua54: segmentation fault in changedli...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/264227/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-27 12:23 UTC by Alexandros Toptsoglou
Modified: 2021-08-26 15:51 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-07-27 12:23:47 UTC
CVE-2020-15945

Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g.,
when called by luaG_traceexec) because it incorrectly expects that an oldpc
value is always updated upon a return of the flow of control to a function.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15945
https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3
http://lua-users.org/lists/lua-l/2020-07/msg00123.html
Comment 1 Alexandros Toptsoglou 2020-07-27 12:31:17 UTC
I was not able to reproduce it in any lua versions that we ship. I also tried in lua54 in TW. The issue though is reproducible in commit [1], that is the commit before the fix [2]. The POC, found at [3] can be reproduced by simply running it, with gdb (if "set disable-randomization off" is set) or with valgrind. 
I tracked that our lua versions are not affected but I am not completely sure. The POC can be found at [3]. 
 
The output with valgrind looks like: 

valgrind -s ./lua $POC 

 Invalid read of size 1
==13316==    at 0x40882A: luaG_traceexec (in /home/alex/lua/lua)
==13316==    by 0x416442: luaV_execute (in /home/alex/lua/lua)
==13316==    by 0x415BEF: luaV_execute (in /home/alex/lua/lua)
==13316==    by 0x415BEF: luaV_execute (in /home/alex/lua/lua)
==13316==    by 0x4093CA: unroll (in /home/alex/lua/lua)
==13316==    by 0x408BB5: luaD_rawrunprotected (in /home/alex/lua/lua)
==13316==    by 0x40997F: lua_resume (in /home/alex/lua/lua)
==13316==    by 0x42837F: auxresume (in /home/alex/lua/lua)
==13316==    by 0x428438: luaB_auxwrap (in /home/alex/lua/lua)
==13316==    by 0x4096DF: luaD_call (in /home/alex/lua/lua)
==13316==    by 0x415BEF: luaV_execute (in /home/alex/lua/lua)
==13316==    by 0x40986B: luaD_callnoyield (in /home/alex/lua/lua)
==13316==  Address 0x5bc3d85 is 11 bytes before a block of size 16 free'd
==13316==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13316==    by 0x40D28E: luaM_realloc_ (in /home/alex/lua/lua)
==13316==    by 0x40D2F0: luaM_saferealloc_ (in /home/alex/lua/lua)
==13316==    by 0x40D3BF: luaM_shrinkvector_ (in /home/alex/lua/lua)
==13316==    by 0x40EF7B: close_func (in /home/alex/lua/lua)
==13316==    by 0x40FD6B: body (in /home/alex/lua/lua)
==13316==    by 0x40F603: statement (in /home/alex/lua/lua)
==13316==    by 0x40FB22: statlist (in /home/alex/lua/lua)
==13316==    by 0x410ACA: test_then_block (in /home/alex/lua/lua)
==13316==    by 0x40F16D: statement (in /home/alex/lua/lua)
==13316==    by 0x40FB22: statlist (in /home/alex/lua/lua)
==13316==    by 0x410B55: block (in /home/alex/lua/lua)
==13316==  Block was alloc'd at
==13316==    at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13316==    by 0x40D28E: luaM_realloc_ (in /home/alex/lua/lua)
==13316==    by 0x40D2F0: luaM_saferealloc_ (in /home/alex/lua/lua)
==13316==    by 0x40D368: luaM_growaux_ (in /home/alex/lua/lua)
==13316==    by 0x41A8F3: savelineinfo (in /home/alex/lua/lua)
==13316==    by 0x41B0B5: luaK_code (in /home/alex/lua/lua)
==13316==    by 0x40EF35: close_func (in /home/alex/lua/lua)
==13316==    by 0x40FD6B: body (in /home/alex/lua/lua)
==13316==    by 0x40F603: statement (in /home/alex/lua/lua)
==13316==    by 0x40FB22: statlist (in /home/alex/lua/lua)
==13316==    by 0x410ACA: test_then_block (in /home/alex/lua/lua)
==13316==    by 0x40F16D: statement (in /home/alex/lua/lua)
==13316== 
==13316== ERROR SUMMARY: 165 errors from 1 contexts (suppressed: 0 from 0)


[1] https://github.com/lua/lua/commit/1ecfbfa1a1debd2258decdf7c1954ac6f9761699
[2] https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3
[3] http://lua-users.org/lists/lua-l/2020-07/msg00123.html
Comment 2 OBSbugzilla Bot 2020-08-18 15:30:07 UTC
This is an autogenerated message for OBS integration:
This bug (1174540) was mentioned in
https://build.opensuse.org/request/show/827619 Factory / lua54
Comment 3 Callum Farmer 2020-08-21 09:20:11 UTC
COMPLETED
Comment 4 Callum Farmer 2020-09-23 12:37:30 UTC
COMPLETED.
Comment 5 Marcus Meissner 2021-08-26 15:51:35 UTC
close