Bugzilla – Bug 1174540
VUL-1: CVE-2020-15945: lua,lua51,lua53,lua54: segmentation fault in changedline in ldebug.c
Last modified: 2021-08-26 15:51:35 UTC
CVE-2020-15945 Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15945 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15945 https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3 http://lua-users.org/lists/lua-l/2020-07/msg00123.html
I was not able to reproduce it in any lua versions that we ship. I also tried in lua54 in TW. The issue though is reproducible in commit [1], that is the commit before the fix [2]. The POC, found at [3] can be reproduced by simply running it, with gdb (if "set disable-randomization off" is set) or with valgrind. I tracked that our lua versions are not affected but I am not completely sure. The POC can be found at [3]. The output with valgrind looks like: valgrind -s ./lua $POC Invalid read of size 1 ==13316== at 0x40882A: luaG_traceexec (in /home/alex/lua/lua) ==13316== by 0x416442: luaV_execute (in /home/alex/lua/lua) ==13316== by 0x415BEF: luaV_execute (in /home/alex/lua/lua) ==13316== by 0x415BEF: luaV_execute (in /home/alex/lua/lua) ==13316== by 0x4093CA: unroll (in /home/alex/lua/lua) ==13316== by 0x408BB5: luaD_rawrunprotected (in /home/alex/lua/lua) ==13316== by 0x40997F: lua_resume (in /home/alex/lua/lua) ==13316== by 0x42837F: auxresume (in /home/alex/lua/lua) ==13316== by 0x428438: luaB_auxwrap (in /home/alex/lua/lua) ==13316== by 0x4096DF: luaD_call (in /home/alex/lua/lua) ==13316== by 0x415BEF: luaV_execute (in /home/alex/lua/lua) ==13316== by 0x40986B: luaD_callnoyield (in /home/alex/lua/lua) ==13316== Address 0x5bc3d85 is 11 bytes before a block of size 16 free'd ==13316== at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==13316== by 0x40D28E: luaM_realloc_ (in /home/alex/lua/lua) ==13316== by 0x40D2F0: luaM_saferealloc_ (in /home/alex/lua/lua) ==13316== by 0x40D3BF: luaM_shrinkvector_ (in /home/alex/lua/lua) ==13316== by 0x40EF7B: close_func (in /home/alex/lua/lua) ==13316== by 0x40FD6B: body (in /home/alex/lua/lua) ==13316== by 0x40F603: statement (in /home/alex/lua/lua) ==13316== by 0x40FB22: statlist (in /home/alex/lua/lua) ==13316== by 0x410ACA: test_then_block (in /home/alex/lua/lua) ==13316== by 0x40F16D: statement (in /home/alex/lua/lua) ==13316== by 0x40FB22: statlist (in /home/alex/lua/lua) ==13316== by 0x410B55: block (in /home/alex/lua/lua) ==13316== Block was alloc'd at ==13316== at 0x4C308BF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==13316== by 0x40D28E: luaM_realloc_ (in /home/alex/lua/lua) ==13316== by 0x40D2F0: luaM_saferealloc_ (in /home/alex/lua/lua) ==13316== by 0x40D368: luaM_growaux_ (in /home/alex/lua/lua) ==13316== by 0x41A8F3: savelineinfo (in /home/alex/lua/lua) ==13316== by 0x41B0B5: luaK_code (in /home/alex/lua/lua) ==13316== by 0x40EF35: close_func (in /home/alex/lua/lua) ==13316== by 0x40FD6B: body (in /home/alex/lua/lua) ==13316== by 0x40F603: statement (in /home/alex/lua/lua) ==13316== by 0x40FB22: statlist (in /home/alex/lua/lua) ==13316== by 0x410ACA: test_then_block (in /home/alex/lua/lua) ==13316== by 0x40F16D: statement (in /home/alex/lua/lua) ==13316== ==13316== ERROR SUMMARY: 165 errors from 1 contexts (suppressed: 0 from 0) [1] https://github.com/lua/lua/commit/1ecfbfa1a1debd2258decdf7c1954ac6f9761699 [2] https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3 [3] http://lua-users.org/lists/lua-l/2020-07/msg00123.html
This is an autogenerated message for OBS integration: This bug (1174540) was mentioned in https://build.opensuse.org/request/show/827619 Factory / lua54
COMPLETED
COMPLETED.
close