Ubuntu
lua5.2 package

Stack overflow in vararg functions with many fixed parameters called with few arguments

Bug #1362278 reported by Jamie Strandboge
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lua5.1 (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Medium
Marc Deslauriers
Trusty
Fix Released
Medium
Marc Deslauriers
Utopic
Fix Released
Undecided
Marc Deslauriers
lua5.2 (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned

Bug Description

See http://www.lua.org/bugs.html section 5.2.2 for details. Essentially:
Stack overflow in vararg functions with many fixed parameters called with few arguments.
reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.

Example:

function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
           p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
           p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
           p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
           p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
  local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
end

f() -- crashes on some machines

Patch:

ldo.c:
@@ -324,7 +324,7 @@
     case LUA_TLCL: { /* Lua function: prepare its call */
       StkId base;
       Proto *p = clLvalue(func)->p;
- luaD_checkstack(L, p->maxstacksize);
+ luaD_checkstack(L, p->maxstacksize + p->numparams);
       func = restorestack(L, funcr);
       n = cast_int(L->top - func) - 1; /* number of real arguments */
       for (; n < p->numparams; n++)

Jamie Strandboge (jdstrand)
information type: Public → Public Security
Marc Deslauriers (mdeslaur)
Changed in lua5.1 (Ubuntu Trusty):
status: New → Fix Released
status: Fix Released → Confirmed
Changed in lua5.1 (Ubuntu Precise):
status: New → Confirmed
Changed in lua5.2 (Ubuntu Utopic):
status: New → Fix Released
Changed in lua5.2 (Ubuntu Trusty):
status: New → Fix Released
Changed in lua5.2 (Ubuntu Precise):
status: New → Confirmed
Changed in lua5.1 (Ubuntu Utopic):
status: New → Confirmed
Changed in lua5.1 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in lua5.1 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in lua5.1 (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in lua5.1 (Ubuntu Precise):
importance: Undecided → Medium
Changed in lua5.1 (Ubuntu Trusty):
importance: Undecided → Medium
Changed in lua5.2 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lua5.1 - 5.1.5-5ubuntu1

---------------
lua5.1 (5.1.5-5ubuntu1) utopic; urgency=medium

  * SECURITY UPDATE: possible code execution via overflow in vararg
    functions (LP: #1362278)
    - debian/patches/CVE-2014-5461.patch: properly calculate length in
      src/ldo.c.
    - CVE-2014-5461
 -- Marc Deslauriers <email address hidden> Tue, 02 Sep 2014 12:01:58 -0400

Changed in lua5.1 (Ubuntu Utopic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lua5.1 - 5.1.4-12ubuntu1.1

---------------
lua5.1 (5.1.4-12ubuntu1.1) precise-security; urgency=medium

  * SECURITY UPDATE: possible code execution via overflow in vararg
    functions (LP: #1362278)
    - debian/patches/CVE-2014-5461.patch: properly calculate length in
      src/ldo.c.
    - CVE-2014-5461
 -- Marc Deslauriers <email address hidden> Tue, 02 Sep 2014 12:47:05 -0400

Changed in lua5.1 (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lua5.2 - 5.2.0-2ubuntu0.1

---------------
lua5.2 (5.2.0-2ubuntu0.1) precise-security; urgency=medium

  * SECURITY UPDATE: possible code execution via overflow in vararg
    functions (LP: #1362278)
    - debian/patches/CVE-2014-5461.patch: properly calculate length in
      src/ldo.c.
    - CVE-2014-5461
 -- Marc Deslauriers <email address hidden> Wed, 03 Sep 2014 07:39:25 -0400

Changed in lua5.2 (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lua5.1 - 5.1.5-5ubuntu0.1

---------------
lua5.1 (5.1.5-5ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: possible code execution via overflow in vararg
    functions (LP: #1362278)
    - debian/patches/CVE-2014-5461.patch: properly calculate length in
      src/ldo.c.
    - CVE-2014-5461
 -- Marc Deslauriers <email address hidden> Tue, 02 Sep 2014 12:46:04 -0400

Changed in lua5.1 (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.