Skip to content
Permalink
Browse files Browse the repository at this point in the history
Keep minimum size when shrinking a stack
When shrinking a stack (during GC), do not make it smaller than the
initial stack size.
  • Loading branch information
roberto-ieru committed Jul 6, 2020
1 parent b57574d commit 6298903
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions ldo.c
Expand Up @@ -245,13 +245,12 @@ static int stackinuse (lua_State *L) {

void luaD_shrinkstack (lua_State *L) {
int inuse = stackinuse(L);
int goodsize = inuse + (inuse / 8) + 2*EXTRA_STACK;
int goodsize = inuse + BASIC_STACK_SIZE;
if (goodsize > LUAI_MAXSTACK)
goodsize = LUAI_MAXSTACK; /* respect stack limit */
/* if thread is currently not handling a stack overflow and its
good size is smaller than current size, shrink its stack */
if (inuse <= (LUAI_MAXSTACK - EXTRA_STACK) &&
goodsize < L->stacksize)
if (inuse <= (LUAI_MAXSTACK - EXTRA_STACK) && goodsize < L->stacksize)
luaD_reallocstack(L, goodsize, 0); /* ok if that fails */
else /* don't change stack */
condmovestack(L,{},{}); /* (change only for debugging) */
Expand Down

4 comments on commit 6298903

@sonicgemini
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wonder if lua 5.3.5 has the same issue?

@BrunoVernay
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least the CVE https://nvd.nist.gov/vuln/detail/CVE-2020-15888 says all versions are impacted up to (including) 5.4.0.
What is more concerning is whether this commit alone fixes the CVE or if the other commit referenced in the CVE: eb41999 is also required ???
Because only this commit has been backported to 5.3.6, not the other one. Since there is no 5.3.7 to clearly fix this vulnerability, the security status is uncertain

@roberto-ieru
Copy link
Contributor Author

@roberto-ieru roberto-ieru commented on 6298903 Apr 21, 2021 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@samboy
Copy link

@samboy samboy commented on 6298903 Jul 28, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to https://ubuntu.com/security/CVE-2020-15888 this only affects Lua 5.4. If that assessment is in error, could someone please link to patches for earlier versions of Lua.

Please sign in to comment.