UBsan: member access within null pointer of type 'struct TString'
87 views
Skip to first unread message
Sergey Bronnikov
May 17, 2025, 1:26:44 PMMay 17
to lua-l
Hello,
There is an issue in a Lua source code introduced by commit 3b9dd52be02fd43c598f4adb6fa7844e6a573923 ("collective declaration for globals ('global *')").
Imagine a Lua chunk like the following:
cat << EOF > chunk.lua
local chunk = [[
goto phdays
global *
::phdays::
goto phdays
]]
load(chunk)
goto phdays
global *
::phdays::
goto phdays
]]
load(chunk)
EOF
Lua interpreter built with UndefinedBehaviour Sanitizer support and
executed with aforementioned chunk crashed with segmentation fault
due to NULL pointer dereference:
$ gdb --args ./lua chunk.lua
<snipped>
lparser.c:549:25: runtime error: member access within null pointer of type 'struct TString'
Program received signal SIGSEGV, Segmentation fault.
0x000055555561c796 in jumpscopeerror (gt=0x55555571cf10, ls=0x7fffffffc6b0) at lparser.c:549
549 const char *varname = getstr(tsname);
(gdb) print tsname
$2 = (TString *) 0x0
(gdb)
Full UBsan report:
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3983466128
INFO: Loaded 1 modules (7455 inline 8-bit counters): 7455 [0x5570f61bf6e0, 0x5570f61c13ff),
INFO: Loaded 1 PC tables (7455 PCs): 7455 [0x5570f61c1400,0x5570f61de5f0),
./build/tests/capi/luaL_loadbufferx_test: Running 1 inputs 1 time(s) each.
Running: bugs/oss-fuzz-418319158/tc
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3244529==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x00000000000b (pc 0x5570f613bf35 bp 0x7ffee700a860 sp 0x7ffee700a800 T3244529)
==3244529==The signal is caused by a READ memory access.
==3244529==Hint: address points to the zero page.
#0 0x5570f613bf35 in jumpscopeerror /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:549:25
#1 0x5570f613bcc1 in closegoto /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:571:5
#2 0x5570f613b621 in solvegotos /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:673:7
#3 0x5570f613b24c in leaveblock /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:727:3
#4 0x5570f6135792 in close_func /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:806:3
#5 0x5570f6134e5d in mainfunc /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:2049:3
#6 0x5570f6134ae8 in luaY_parser /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:2071:3
#7 0x5570f611ec5f in f_parser /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/ldo.c:1095:10
#8 0x5570f611976e in luaD_rawrunprotected /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/ldo.c:148:3
#9 0x5570f611e7af in luaD_pcall /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/ldo.c:1045:12
#10 0x5570f611e9c9 in luaD_protectedparser /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/ldo.c:1112:12
#11 0x5570f610ed38 in lua_load /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lapi.c:1121:12
#12 0x5570f6173eb3 in luaL_loadbufferx /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lauxlib.c:872:10
#13 0x5570f610277f in LLVMFuzzerTestOneInput /home/sergeyb/sources/lua-c-api-tests/tests/capi/luaL_loadbufferx_test.c:46:2
#14 0x5570f60bc38b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/sergeyb/sources/lua-c-api-tests/build/tests/capi/luaL_loadbufferx_test+0x5338b) (BuildId: 9e7a99eb9d810e125a42b546ac7ac605eac64165)
#15 0x5570f60a515f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/sergeyb/sources/lua-c-api-tests/build/tests/capi/luaL_loadbufferx_test+0x3c15f) (BuildId: 9e7a99eb9d810e125a42b546ac7ac605eac64165)
#16 0x5570f60ab161 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/sergeyb/sources/lua-c-api-tests/build/tests/capi/luaL_loadbufferx_test+0x42161) (BuildId: 9e7a99eb9d810e125a42b546ac7ac605eac64165)
#17 0x5570f60d5da2 in main (/home/sergeyb/sources/lua-c-api-tests/build/tests/capi/luaL_loadbufferx_test+0x6cda2) (BuildId: 9e7a99eb9d810e125a42b546ac7ac605eac64165)
#18 0x7ff70622a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#19 0x7ff70622a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#20 0x5570f609fd54 in _start (/home/sergeyb/sources/lua-c-api-tests/build/tests/capi/luaL_loadbufferx_test+0x36d54) (BuildId: 9e7a99eb9d810e125a42b546ac7ac605eac64165)
==3244529==Register values:
rax = 0x0000000000000000 rbx = 0x000055711fef3af0 rcx = 0x0000000000000000 rdx = 0x00000000000009d8
rdi = 0x00007ffee700abc8 rsi = 0x0000000000000000 rbp = 0x00007ffee700a860 rsp = 0x00007ffee700a800
r8 = 0x00005570f61dea00 r9 = 0x0000000000000010 r10 = 0x2000000000000000 r11 = 0x00005570f61dea00
r12 = 0x000055711fef6220 r13 = 0x00005570f61dea00 r14 = 0x000055711fef4210 r15 = 0x000000000000002c
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:549:25 in jumpscopeerror
==3244529==ABORTING
INFO: Seed: 3983466128
INFO: Loaded 1 modules (7455 inline 8-bit counters): 7455 [0x5570f61bf6e0, 0x5570f61c13ff),
INFO: Loaded 1 PC tables (7455 PCs): 7455 [0x5570f61c1400,0x5570f61de5f0),
./build/tests/capi/luaL_loadbufferx_test: Running 1 inputs 1 time(s) each.
Running: bugs/oss-fuzz-418319158/tc
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3244529==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x00000000000b (pc 0x5570f613bf35 bp 0x7ffee700a860 sp 0x7ffee700a800 T3244529)
==3244529==The signal is caused by a READ memory access.
==3244529==Hint: address points to the zero page.
#0 0x5570f613bf35 in jumpscopeerror /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:549:25
#1 0x5570f613bcc1 in closegoto /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:571:5
#2 0x5570f613b621 in solvegotos /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:673:7
#3 0x5570f613b24c in leaveblock /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:727:3
#4 0x5570f6135792 in close_func /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:806:3
#5 0x5570f6134e5d in mainfunc /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:2049:3
#6 0x5570f6134ae8 in luaY_parser /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:2071:3
#7 0x5570f611ec5f in f_parser /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/ldo.c:1095:10
#8 0x5570f611976e in luaD_rawrunprotected /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/ldo.c:148:3
#9 0x5570f611e7af in luaD_pcall /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/ldo.c:1045:12
#10 0x5570f611e9c9 in luaD_protectedparser /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/ldo.c:1112:12
#11 0x5570f610ed38 in lua_load /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lapi.c:1121:12
#12 0x5570f6173eb3 in luaL_loadbufferx /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lauxlib.c:872:10
#13 0x5570f610277f in LLVMFuzzerTestOneInput /home/sergeyb/sources/lua-c-api-tests/tests/capi/luaL_loadbufferx_test.c:46:2
#14 0x5570f60bc38b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/sergeyb/sources/lua-c-api-tests/build/tests/capi/luaL_loadbufferx_test+0x5338b) (BuildId: 9e7a99eb9d810e125a42b546ac7ac605eac64165)
#15 0x5570f60a515f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/sergeyb/sources/lua-c-api-tests/build/tests/capi/luaL_loadbufferx_test+0x3c15f) (BuildId: 9e7a99eb9d810e125a42b546ac7ac605eac64165)
#16 0x5570f60ab161 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/sergeyb/sources/lua-c-api-tests/build/tests/capi/luaL_loadbufferx_test+0x42161) (BuildId: 9e7a99eb9d810e125a42b546ac7ac605eac64165)
#17 0x5570f60d5da2 in main (/home/sergeyb/sources/lua-c-api-tests/build/tests/capi/luaL_loadbufferx_test+0x6cda2) (BuildId: 9e7a99eb9d810e125a42b546ac7ac605eac64165)
#18 0x7ff70622a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#19 0x7ff70622a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#20 0x5570f609fd54 in _start (/home/sergeyb/sources/lua-c-api-tests/build/tests/capi/luaL_loadbufferx_test+0x36d54) (BuildId: 9e7a99eb9d810e125a42b546ac7ac605eac64165)
==3244529==Register values:
rax = 0x0000000000000000 rbx = 0x000055711fef3af0 rcx = 0x0000000000000000 rdx = 0x00000000000009d8
rdi = 0x00007ffee700abc8 rsi = 0x0000000000000000 rbp = 0x00007ffee700a860 rsp = 0x00007ffee700a800
r8 = 0x00005570f61dea00 r9 = 0x0000000000000010 r10 = 0x2000000000000000 r11 = 0x00005570f61dea00
r12 = 0x000055711fef6220 r13 = 0x00005570f61dea00 r14 = 0x000055711fef4210 r15 = 0x000000000000002c
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/sergeyb/sources/lua-c-api-tests/build/lua-master/source/lparser.c:549:25 in jumpscopeerror
==3244529==ABORTING
Sergey
Roberto Ierusalimschy
May 18, 2025, 10:40:56 AMMay 18
to lu...@googlegroups.com
> There is an issue in a Lua source code introduced by commit
> 3b9dd52be02fd43c598f4adb6fa7844e6a573923 ("collective declaration for
> globals ('global *')").
>
> [...]
> 3b9dd52be02fd43c598f4adb6fa7844e6a573923 ("collective declaration for
> globals ('global *')").
>
Thanks for the report.
-- Roberto
Reply all
Reply to author
Forward
0 new messages