Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsinking of IR_FSTORE for NULL metatable #1147

Closed
pwnhacker0x18 opened this issue Jan 23, 2024 · 1 comment
Closed

Unsinking of IR_FSTORE for NULL metatable #1147

pwnhacker0x18 opened this issue Jan 23, 2024 · 1 comment
Labels
2.0 2.1 bug

Comments

@pwnhacker0x18
Copy link

ASAN log:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==42454==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x561c11f6282b bp 0x7f8f3dafb380 sp 0x7ffd1537e530 T0)
==42454==The signal is caused by a READ memory access.
==42454==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
Aborted (core dumped)

Code:

   396 
   397 cTValue *lj_tab_getstr(GCtab *t, const GCstr *key)
   398 {
   399   Node *n = hashstr(t, key);
   400   do {
 ► 401     if (tvisstr(&n->key) && strV(&n->key) == key)
   402       return &n->val;
   403   } while ((n = nextnode(n)));
   404   return NULL;
   405 }
   406

Backtrace log:

#0  0x00005555555ce828 in lj_tab_getstr (t=t@entry=0x7ffff7e53380, key=0x7ffff7e55cf8) at lj_tab.c:401
#1  0x00005555555d10e7 in lj_meta_cache (mt=mt@entry=0x7ffff7e53380, mm=mm@entry=MM_mode, name=<optimized out>) at lj_meta.c:49
#2  0x00005555555c7b9f in gc_traverse_tab (t=0x7ffff7e68f00, g=0x7ffff7e533e0) at lj_gc.c:180
#3  propagatemark (g=0x7ffff7e533e0) at lj_gc.c:333
#4  0x00005555555ca721 in lj_gc_step (L=L@entry=0x7ffff7e53380) at lj_gc.c:744
#5  0x00005555555cabb3 in lj_gc_step_jit (g=<optimized out>, steps=1) at lj_gc.c:777
#6  0x000055552f13fd48 in ?? ()
#7  0xfffdfffff7e57c30 in ?? ()
#8  0x4022000000000000 in ?? ()
#9  0x4022000000000000 in ?? ()
#10 0x0000000a0000000a in ?? ()
#11 0x00007ffff7e54f38 in ?? ()
#12 0x4022000000000000 in ?? ()
#13 0x00007ffff7e66448 in ?? ()
#14 0x00007ffff7e57bc8 in ?? ()
#15 0x00007ffff7e54db8 in ?? ()
#16 0x0000000000000000 in ?? ()

POC:

seen={}function dump(t)seen[t]=true	local s={}n=0	for k in pairs(t)do	n=n+1 s[n]=k	end	table.sort(s)for k,v in pairs(s)do	n={}l0={}l=0
s={}setmetatable(s,u,{})v=t[v]if type(v)=="table"and not seen[v]then	dump(v)end	end
end
return
dump(_G,"")
@MikePall
Copy link
Member

MikePall commented Jan 23, 2024
edited

Missing case to restore KNULL for sunk FSTORE (FREF x tab.meta) NULL.

Fixed. Thanks!

MikePall pushed a commit that referenced this issue Jan 23, 2024
Fix unsinking of IR_FSTORE for NULL metatable.
85b4fed 
Reported by pwnhacker0x18. #1147
@MikePall MikePall changed the title SIGSEGV in lj_tab_getstr Unsinking of IR_FSTORE for NULL metatable Jan 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.0 2.1 bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MikePall @pwnhacker0x18