author | Rich Burridge <rich.burridge@oracle.com> |
Tue, 09 Sep 2014 15:00:31 -0700 | |
branch | s11u2-sru |
changeset 3303 | 353b45759c7e |
permissions | -rw-r--r-- |
3303
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
An overflow flaw was fixed in Lua 5.2.2: |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
|
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
http://www.lua.org/bugs.html#5.2.2-1 |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
|
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
This could cause the application to crash or, potentially, execute arbitrary |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
code. One way an attacker could trigger this issue is if they can control |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
parameters to a loadstring call (an eval in Lua, |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
http://en.wikipedia.org/wiki/Eval#Lua). |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
|
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
See also: |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
|
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
https://bugzilla.redhat.com/show_bug.cgi?id=1132304 |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
|
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
--- lua-5.1.4/src/ldo.c.orig 2014-08-31 09:15:30.815313542 -0700 |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
+++ lua-5.1.4/src/ldo.c 2014-08-31 09:21:37.935417299 -0700 |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
@@ -273,7 +273,7 @@ |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
CallInfo *ci; |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
StkId st, base; |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
Proto *p = cl->p; |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
- luaD_checkstack(L, p->maxstacksize); |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
+ luaD_checkstack(L, p->maxstacksize + p->numparams); |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
func = restorestack(L, funcr); |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
if (!p->is_vararg) { /* no varargs? */ |
353b45759c7e
19535331 problem in UTILITY/LUA
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
base = func + 1; |