Re: f=load("load(f)");f() bug found by AFL fuzzer

  • From: Alexander Nasonov <alnsn@xxxxxxxxx>
  • To: luajit@xxxxxxxxxxxxx
  • Date: Mon, 2 Mar 2015 18:51:07 +0000

Coda Highland wrote:
> Fixed the 5.2-ism:
> $ lua
> Lua 5.1.5  Copyright (C) 1994-2012, PUC-Rio
> > s = loadstring"load(s)"
> > load(s)
> Here, it just hangs instead of crashing. I'm guessing PUC-Rio Lua is
> handling the stack differently, but it's still a DoS from untrusted
> code.

Lua 5.2 and 5.3 don't hang. Though, they don't report any error.

> And thinking about it this way reveals the issue: This isn't a bug, or
> at least, it's not a bug you can do anything about without making Mr.
> Turing very upset.
> Let's walk through it:
> The first line, s = loadstring"load(s)", is equivalent to:
> function s()
>   load(s)
> end
> (And note that it still crashes if you define it this way instead of
> using loadstring.)
> The second line, load(s), uses the function s as a reader that's
> supposed to return incremental parts of the input file. However, s
> just calls load(s)... which calls s... which calls load(s)...
> You're just overflowing the stack with infinite recursion.

Does Lua have any checks that trigger before the C stack overflows?
Or is it one of few corner cases that should be avoided by a programmer?


Other related posts: