Re: kern/52226: Freeze (infinite loop) in kernel on double lua module require

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,alexander%mihalicyn.com@localhost
Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua module require
From: Marc Balmer <marc%msys.ch@localhost>
Date: Thu, 11 May 2017 19:20:00 +0000 (UTC)

The following reply was made to PR kern/52226; it has been noted by GNATS.

From: Marc Balmer <marc%msys.ch@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua module
 require
Date: Thu, 11 May 2017 21:19:44 +0200

 As lneto helped with the fix, will he commit it?
 
 Am 11.05.17 um 20:20 schrieb alexander%mihalicyn.com@localhost:
 >> Number:         52226
 >> Category:       kern
 >> Synopsis:       Freeze (infinite loop) in kernel on double lua module require
 >> Confidential:   no
 >> Severity:       serious
 >> Priority:       medium
 >> Responsible:    kern-bug-people
 >> State:          open
 >> Class:          sw-bug
 >> Submitter-Id:   net
 >> Arrival-Date:   Thu May 11 18:20:00 +0000 2017
 >> Originator:     Alexander Mihalicyn
 >> Release:        7.1
 >> Organization:
 >> Environment:
 > NetBSD netbsd 7.1 NetBSD 7.1 (GENERIC.201703111743Z) i386
 >> Description:
 > Problem with not checking that lua module already required and module loading two times. After that we got a list structure corrupted (one of the node pointing to itself). If we iterate over that list we got infinite loop in kernel...
 > 
 > Take a look on https://github.com/IIJ-NetBSD/netbsd-src/blob/master/sys/modules/lua/lua.c (function lua_require(lua_State *L)).
 > 
 > If we try to double require lua module we got a list with node pointing to itself:
 > line 524:
 > LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
 > 
 > Before this line we need to check, that our module not loaded yet.
 >> How-To-Repeat:
 > Possible exploitation is very simple:
 > /root/test.lua:
 > systm = require 'systm'
 > 
 > execute commands:
 > luactl create s1
 > luactl load s1 /root/test.lua
 > luactl load s1 /root/test.lua
 > luactl destroy s1
 > 
 > Houston, we have a problem!
 > 
 > Thanks to lneto (lneto%NetBSD.org@localhost) for help and support ;)
 >> Fix:
 > --- a/sys/modules/lua/lua.c
 > +++ b/sys/modules/lua/lua.c
 > @@ -487,8 +487,21 @@ lua_require(lua_State *L)
 >  					device_printf(sc_self,
 >  					    "require module %s\n",
 >  					    md->mod_name);
 > +
 > +				/* add module to loaded list in state */
 >  				luaL_requiref(L, md->mod_name, md->open, 0);
 >  
 > +				/* check that module not loaded yet before increasing refcount and adding to state modules list */
 > +				LIST_FOREACH(m, &s->lua_modules, mod_next)
 > +					if (m == md) {
 > +						if (lua_verbose)
 > +							device_printf(sc_self,
 > +								"required module %s already loaded\n",
 > +								m->mod_name);
 > +
 > +						return 1;
 > +					}
 > +
 >  				md->refcount++;
 >  				LIST_INSERT_HEAD(&s->lua_modules, md, mod_next);
 > return 1;
 >

Prev by Date: kern/52226: Freeze (infinite loop) in kernel on double lua module require
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: kern/52226: Freeze (infinite loop) in kernel on double lua module require
Next by Thread: Re: kern/52226: Freeze (infinite loop) in kernel on double lua module require
Indexes:

Home | Main Index | Thread Index | Old Index