Out-of-Bounds Read in luaO_pushvfstring Due to Unsanitized String Inputs
13 views
Skip to first unread message
Cullen Clay (你講話真的很機車)
7:00 AM (4 hours ago) 7:00 AM
to lua-l
### Summary
The function `luaO_pushvfstring` in `lobject.c` suffers from a CWE-125 (Out-of-Bounds Read) vulnerability due to the use of `strlen` on unsanitized, potentially non-null-terminated strings.
### Description
1. The target function is `luaO_pushvfstring` located in `lobject.c`, which constructs formatted strings using variable arguments and a format string. The function process includes:
- **Line 386**: `strlen` is invoked on the string argument `s` obtained from `va_arg(argp, char*)`.
- **Line 388**: The function passes the string `s` directly to `addstr2buff`, which uses `strlen` without any null-termination validation.
2. If the caller provides a non-null-terminated string, this will cause `strlen` to read past allocated memory until it finds a null byte, thereby leading to an out-of-bounds read.
3. The function does not perform validation or sanitization to ensure that the string `s` passed to `strlen` is null-terminated. This could happen when the function is called via the Lua API, where untrusted strings may be passed.
4. There are no checks or mitigations against non-null-terminated strings, and the data flow from the variable arguments (source) to `strlen` (sink) is direct and unverified, making the function vulnerable to exploitation if an attacker can control the input strings.
### Code Snippet
```c
// Method: luaO_pushvfstring#378#441#lobject.c
378: const char *luaO_pushvfstring (lua_State *L, const char *fmt, va_list argp) {
382: while ((e = strchr(fmt, '%')) != NULL) {
383: addstr2buff(&buff, fmt, ct_diff2sz(e - fmt));
386: const char *s = va_arg(argp, char *);
388: addstr2buff(&buff, s, strlen(s));
439: }
}
```
### Conclusion
Due to the lack of validation for null-terminated strings, `luaO_pushvfstring` can lead to potential out-of-bounds memory reads, making it susceptible to vulnerabilities. It is recommended to add checks to ensure that strings are null-terminated before processing them with `strlen`.
**Version Affected: 0b73ed8f083c99b5ff88e0822532db7ad8785881**
The function `luaO_pushvfstring` in `lobject.c` suffers from a CWE-125 (Out-of-Bounds Read) vulnerability due to the use of `strlen` on unsanitized, potentially non-null-terminated strings.
### Description
1. The target function is `luaO_pushvfstring` located in `lobject.c`, which constructs formatted strings using variable arguments and a format string. The function process includes:
- **Line 386**: `strlen` is invoked on the string argument `s` obtained from `va_arg(argp, char*)`.
- **Line 388**: The function passes the string `s` directly to `addstr2buff`, which uses `strlen` without any null-termination validation.
2. If the caller provides a non-null-terminated string, this will cause `strlen` to read past allocated memory until it finds a null byte, thereby leading to an out-of-bounds read.
3. The function does not perform validation or sanitization to ensure that the string `s` passed to `strlen` is null-terminated. This could happen when the function is called via the Lua API, where untrusted strings may be passed.
4. There are no checks or mitigations against non-null-terminated strings, and the data flow from the variable arguments (source) to `strlen` (sink) is direct and unverified, making the function vulnerable to exploitation if an attacker can control the input strings.
### Code Snippet
```c
// Method: luaO_pushvfstring#378#441#lobject.c
378: const char *luaO_pushvfstring (lua_State *L, const char *fmt, va_list argp) {
382: while ((e = strchr(fmt, '%')) != NULL) {
383: addstr2buff(&buff, fmt, ct_diff2sz(e - fmt));
386: const char *s = va_arg(argp, char *);
388: addstr2buff(&buff, s, strlen(s));
439: }
}
```
### Conclusion
Due to the lack of validation for null-terminated strings, `luaO_pushvfstring` can lead to potential out-of-bounds memory reads, making it susceptible to vulnerabilities. It is recommended to add checks to ensure that strings are null-terminated before processing them with `strlen`.
**Version Affected: 0b73ed8f083c99b5ff88e0822532db7ad8785881**
Reply all
Reply to author
Forward
0 new messages