![eaabde33ae378e2d078eabf24b26f9ff.png](https://i-blog.csdnimg.cn/blog_migrate/51a1a3d8122a76eb67f81cc3362e2f40.jpeg)
![5bb8b7eb2e341c1037c90698c259f709.png](https://i-blog.csdnimg.cn/blog_migrate/0926b7cfa468f38b6c89bad1c13d6f3d.jpeg)
Lua v5.4.0及之前版本lsys_load()函数加载动态链接库时没有正确处理文件名的长度,造成栈溢出漏洞,可造成拒绝服务问题。
- 01 -
漏洞描述
Lua是一种轻量小巧的脚本语言,用标准C语言编写并以源代码形式开放。
Lua v5.4.0及之前版本lsys_load()函数加载动态链接库时没有正确处理文件名的长度,造成栈溢出漏洞,可造成拒绝服务问题。
- 02 -
影响版本
Lua <= v5.4.0
- 03 -
漏洞复现
$ git clone https://github.com/lua/lua.git$ make$ ./lua ./Stack_overflow_lsys_load.luaAddressSanitizer:DEADLYSIGNAL===================================================================90451==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc56ae1e38 (pc 0x7f84c442acf7 bp 0x7ffc573773f0 sp 0x7ffc56ae1e40 T0) #0 0x7f84c442acf6 (/lib64/ld-linux-x86-64.so.2+0x7cf6) #1 0x7f84c442cd4d (/lib64/ld-linux-x86-64.so.2+0x9d4d) #2 0x7f84c44379c3 (/lib64/ld-linux-x86-64.so.2+0x149c3) #3 0x7f84c31d148e in _dl_catch_exception (/lib/x86_64-linux-gnu/libc.so.6+0x15c48e) #4 0x7f84c44372c5 (/lib64/ld-linux-x86-64.so.2+0x142c5) #5 0x7f84c34a9255 (/lib/x86_64-linux-gnu/libdl.so.2+0x1255) #6 0x7f84c31d148e in _dl_catch_exception (/lib/x86_64-linux-gnu/libc.so.6+0x15c48e) #7 0x7f84c31d151e in _dl_catch_error (/lib/x86_64-linux-gnu/libc.so.6+0x15c51e) #8 0x7f84c34a9a24 (/lib/x86_64-linux-gnu/libdl.so.2+0x1a24) #9 0x7f84c34a92e5 in dlopen (/lib/x86_64-linux-gnu/libdl.so.2+0x12e5) #10 0x7f84c36c9a33 (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x8ea33) #11 0x56529c0e5908 in lsys_load /home/test/Lua/Test_lua/lua/loadlib.c:134 #12 0x56529c0e5908 in lookforfunc /home/test/Lua/Test_lua/lua/loadlib.c:391 #13 0x56529c0e5a14 in ll_loadlib /home/test/Lua/Test_lua/lua/loadlib.c:412 #14 0x56529c09025c in luaD_call /home/test/Lua/Test_lua/lua/ldo.c:481 #15 0x56529c0b8824 in luaV_execute /home/test/Lua/Test_lua/lua/lvm.c:1614 #16 0x56529c0b8824 in luaV_execute /home/test/Lua/Test_lua/lua/lvm.c:1614 #17 0x56529c090605 in luaD_callnoyield /home/test/Lua/Test_lua/lua/ldo.c:525 #18 0x56529c08dc51 in luaD_rawrunprotected /home/test/Lua/Test_lua/lua/ldo.c:148 #19 0x56529c0911e0 in luaD_pcall /home/test/Lua/Test_lua/lua/ldo.c:749 #20 0x56529c086f8f in lua_pcallk /home/test/Lua/Test_lua/lua/lapi.c:1031 #21 0x56529c08042a in docall /home/test/Lua/Test_lua/lua/lua.c:139 #22 0x56529c08179d in handle_script /home/test/Lua/Test_lua/lua/lua.c:228 #23 0x56529c08179d in pmain /home/test/Lua/Test_lua/lua/lua.c:603 #24 0x56529c09025c in luaD_call /home/test/Lua/Test_lua/lua/ldo.c:481 #25 0x56529c090605 in luaD_callnoyield /home/test/Lua/Test_lua/lua/ldo.c:525 #26 0x56529c08dc51 in luaD_rawrunprotected /home/test/Lua/Test_lua/lua/ldo.c:148 #27 0x56529c0911e0 in luaD_pcall /home/test/Lua/Test_lua/lua/ldo.c:749 #28 0x56529c086f8f in lua_pcallk /home/test/Lua/Test_lua/lua/lapi.c:1031 #29 0x56529c07fbda in main /home/test/Lua/Test_lua/lua/lua.c:629 #30 0x7f84c309909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #31 0x56529c080239 in _start (/home/test/Lua/Test_lua/lua/lua+0x18239)SUMMARY: AddressSanitizer: stack-overflow (/lib64/ld-linux-x86-64.so.2+0x7cf6) ==90451==ABORTING```
- 04 -
漏洞分析
漏洞发生在package.loadlib函数中,当用package.loadlib加载一个名字很长的动态链接库时,造成栈溢出:
static void *lsys_load (lua_State *L, const char *path, int seeglb) { void *lib = dlopen(path, RTLD_NOW | (seeglb ? RTLD_GLOBAL : RTLD_LOCAL)); ---->crash if (lib == NULL) lua_pushstring(L, dlerror()); return lib;}
- 05 -
修复建议
在加载动态链接库时限制动态链接库的长度。
- 06 -
漏洞演示
往期精选
![427680e13cb7a0a92f5ba18702f1fa1e.png](https://i-blog.csdnimg.cn/blog_migrate/102816aa009834dbf0d2e1593b40bea4.jpeg)
![95c4e1220e6746745614e45c49d5eb86.png](https://i-blog.csdnimg.cn/blog_migrate/6d0cc7fa1a4541188a42e7e068c32f25.jpeg)
![ed674505b6344b04cbacefca61c6ad4a.png](https://i-blog.csdnimg.cn/blog_migrate/faa1bbd430c63da021cecdde279029ca.jpeg)
![4aaeae91cbcf8f31e3d3119943541d52.png](https://i-blog.csdnimg.cn/blog_migrate/478d9e69c99756d5914fdfe0f4b5de93.jpeg)
![dd7a8ef4ad32d485e4fbbae996f04cd4.png](https://i-blog.csdnimg.cn/blog_migrate/8ae86abfc9213a389eeb0a0452531263.jpeg)
![eef536ee638b500a28d0c94549611436.png](https://i-blog.csdnimg.cn/blog_migrate/a6061cf6e05eff70733e6b5b22ffe948.jpeg)
![74d969e56de450fcf0fceed87aab70ea.png](https://i-blog.csdnimg.cn/blog_migrate/211f6d7c8fcb16ac67e39cfdf2777ce8.jpeg)