Re: f=load("load(f)");f() bug found by AFL fuzzer
- From: Alexander Nasonov <alnsn@xxxxxxxxx>
- To: luajit@xxxxxxxxxxxxx
- Date: Mon, 2 Mar 2015 18:51:07 +0000
Coda Highland wrote:
> Fixed the 5.2-ism:
>
> $ lua
> Lua 5.1.5 Copyright (C) 1994-2012 Lua.org, PUC-Rio
> > s = loadstring"load(s)"
> > load(s)
>
> Here, it just hangs instead of crashing. I'm guessing PUC-Rio Lua is
> handling the stack differently, but it's still a DoS from untrusted
> code.
Lua 5.2 and 5.3 don't hang. Though, they don't report any error.
> And thinking about it this way reveals the issue: This isn't a bug, or
> at least, it's not a bug you can do anything about without making Mr.
> Turing very upset.
>
> Let's walk through it:
>
> The first line, s = loadstring"load(s)", is equivalent to:
>
> function s()
> load(s)
> end
>
> (And note that it still crashes if you define it this way instead of
> using loadstring.)
>
> The second line, load(s), uses the function s as a reader that's
> supposed to return incremental parts of the input file. However, s
> just calls load(s)... which calls s... which calls load(s)...
>
> You're just overflowing the stack with infinite recursion.
Does Lua have any checks that trigger before the C stack overflows?
Or is it one of few corner cases that should be avoided by a programmer?
Alex
Other related posts:
