Re: kern/52226: Freeze (infinite loop) in kernel on double lua module require

[Marc Balmer <marc%msys.ch@localhost>]

The following reply was made to PR kern/52226; it has been noted by GNATS.

From: Marc Balmer <marc%msys.ch@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/52226: Freeze (infinite loop) in kernel on double lua
 module require
Date: Sat, 20 May 2017 10:34:43 +0200

 --7499690C-09E0-4D36-9380-6599D9FE6CD6
 Content-Type: multipart/alternative; boundary="591fffa3_41a8a627_280"
 
 --591fffa3_41a8a627_280
 Content-Type: text/plain; charset="utf-8"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 I just fixed this in NetBSD -current and requested a pullup to the netbsd-7 branch
 
 
 Am 11. Mai 2017 um 20:20:00, alexander%mihalicyn.com@localhost (alexander%mihalicyn.com@localhost) schrieb:
 
 >Number: 52226 
 >Category: kern 
 >Synopsis: Freeze (infinite loop) in kernel on double lua module require 
 >Confidential: no 
 >Severity: serious 
 >Priority: medium 
 >Responsible: kern-bug-people 
 >State: open 
 >Class: sw-bug 
 >Submitter-Id: net 
 >Arrival-Date: Thu May 11 18:20:00 +0000 2017 
 >Originator: Alexander Mihalicyn 
 >Release: 7.1 
 >Organization: 
 >Environment: 
 NetBSD netbsd 7.1 NetBSD 7.1 (GENERIC.201703111743Z) i386 
 >Description: 
 Problem with not checking that lua module already required and module loading two times. After that we got a list structure corrupted (one of the node pointing to itself). If we iterate over that list we got infinite loop in kernel... 
 
 Take a look on https://github.com/IIJ-NetBSD/netbsd-src/blob/master/sys/modules/lua/lua.c (function lua_require(lua_State *L)). 
 
 If we try to double require lua module we got a list with node pointing to itself: 
 line 524: 
 LIST_INSERT_HEAD(&s->lua_modules, md, mod_next); 
 
 Before this line we need to check, that our module not loaded yet. 
 >How-To-Repeat: 
 Possible exploitation is very simple: 
 /root/test.lua: 
 systm = require 'systm' 
 
 execute commands: 
 luactl create s1 
 luactl load s1 /root/test.lua 
 luactl load s1 /root/test.lua 
 luactl destroy s1 
 
 Houston, we have a problem! 
 
 Thanks to lneto (lneto%NetBSD.org@localhost) for help and support ;) 
 >Fix: 
 --- a/sys/modules/lua/lua.c 
 +++ b/sys/modules/lua/lua.c 
 @@ -487,8 +487,21 @@ lua_require(lua_State *L) 
 device_printf(sc_self, 
 "require module %s\n", 
 md->mod_name); 
 + 
 +	/* add module to loaded list in state */ 
 luaL_requiref(L, md->mod_name, md->open, 0); 
 
 +	/* check that module not loaded yet before increasing refcount and adding to state modules list */ 
 +	LIST_FOREACH(m, &s->lua_modules, mod_next) 
 +	if (m == md) { 
 +	if (lua_verbose) 
 +	device_printf(sc_self, 
 +	"required module %s already loaded\n", 
 +	m->mod_name); 
 + 
 +	return 1; 
 +	} 
 + 
 md->refcount++; 
 LIST_INSERT_HEAD(&s->lua_modules, md, mod_next); 
 return 1; 
 
 
 --591fffa3_41a8a627_280
 Content-Type: text/html; charset="utf-8"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 
 <html><head><style>body=7Bfont-family:Helvetica,Arial;font-size:13px=7D</=
 style></head><body style=3D=22word-wrap: break-word; -webkit-nbsp-mode: s=
 pace; -webkit-line-break: after-white-space;=22><div id=3D=22bloop=5Fcust=
 omfont=22 style=3D=22font-family:Helvetica,Arial;font-size:13px; color: r=
 gba(0,0,0,1.0); margin: 0px; line-height: auto;=22>I just fixed this in N=
 etBSD -current and requested a pullup to the netbsd-7 branch</div> <br> <=
 div class=3D=22bloop=5Fsign=22 id=3D=22bloop=5Fsign=5F1495269233064286976=
 =22><div style=3D=22font-family: Helvetica; font-size: 12px; orphans: 2; =
 widows: 2;=22><br></div></div><div><p class=3D=22airmail=5Fon=22>Am 11. M=
 ai 2017 um 20:20:00, alexander=40mihalicyn.com (<a href=3D=22mailto:alexa=
 nder=40mihalicyn.com=22>alexander=40mihalicyn.com</a>) schrieb:</p> <bloc=
 kquote type=3D=22cite=22 class=3D=22clean=5Fbq=22><span><div><div></div><=
 div>&gt;Number:         52226
 <br>&gt;Category:       kern
 <br>&gt;Synopsis:       =46reeze (infinite loop) in kernel on double lua =
 module require
 <br>&gt;Confidential:   no
 <br>&gt;Severity:       serious
 <br>&gt;Priority:       medium
 <br>&gt;Responsible:    kern-bug-people
 <br>&gt;State:          open
 <br>&gt;Class:          sw-bug
 <br>&gt;Submitter-Id:   net
 <br>&gt;Arrival-Date:   Thu May 11 18:20:00 +0000 2017
 <br>&gt;Originator:     Alexander Mihalicyn
 <br>&gt;Release:        7.1
 <br>&gt;Organization:
 <br>&gt;Environment:
 <br>NetBSD netbsd 7.1 NetBSD 7.1 (GENERIC.201703111743Z) i386
 <br>&gt;Description:
 <br>Problem with not checking that lua module already required and module=
  loading two times. After that we got a list structure corrupted (one of =
 the node pointing to itself). If we iterate over that list we got infinit=
 e loop in kernel...
 <br>
 <br>Take a look on https://github.com/IIJ-NetBSD/netbsd-src/blob/master/s=
 ys/modules/lua/lua.c (function lua=5Frequire(lua=5FState *L)).
 <br>
 <br>If we try to double require lua module we got a list with node pointi=
 ng to itself:
 <br>line 524:
 <br>LIST=5FINSERT=5FHEAD(&amp;s-&gt;lua=5Fmodules, md, mod=5Fnext);
 <br>
 <br>Before this line we need to check, that our module not loaded yet.
 <br>&gt;How-To-Repeat:
 <br>Possible exploitation is very simple:
 <br>/root/test.lua:
 <br>systm =3D require 'systm'
 <br>
 <br>execute commands:
 <br>luactl create s1
 <br>luactl load s1 /root/test.lua
 <br>luactl load s1 /root/test.lua
 <br>luactl destroy s1
 <br>
 <br>Houston, we have a problem=21
 <br>
 <br>Thanks to lneto (lneto=40NetBSD.org) for help and support ;)
 <br>&gt;=46ix:
 <br>--- a/sys/modules/lua/lua.c
 <br>+++ b/sys/modules/lua/lua.c
 <br>=40=40 -487,8 +487,21 =40=40 lua=5Frequire(lua=5FState *L)
 <br> 					device=5Fprintf(sc=5Fself,
 <br> 					    =22require module %s=5Cn=22,
 <br> 					    md-&gt;mod=5Fname);
 <br>+
 <br>+				/* add module to loaded list in state */
 <br> 				luaL=5Frequiref(L, md-&gt;mod=5Fname, md-&gt;open, 0);
 <br> =20
 <br>+				/* check that module not loaded yet before increasing refcount a=
 nd adding to state modules list */
 <br>+				LIST=5F=46OREACH(m, &amp;s-&gt;lua=5Fmodules, mod=5Fnext)
 <br>+					if (m =3D=3D md) =7B
 <br>+						if (lua=5Fverbose)
 <br>+							device=5Fprintf(sc=5Fself,
 <br>+								=22required module %s already loaded=5Cn=22,
 <br>+								m-&gt;mod=5Fname);
 <br>+
 <br>+						return 1;
 <br>+					=7D
 <br>+
 <br> 				md-&gt;refcount++;
 <br> 				LIST=5FINSERT=5FHEAD(&amp;s-&gt;lua=5Fmodules, md, mod=5Fnext);
 <br>return 1;
 <br>
 <br></div></div></span></blockquote></div></body></html>
 --591fffa3_41a8a627_280--
 
 --7499690C-09E0-4D36-9380-6599D9FE6CD6
 Content-Type: application/pkcs7-signature; name="smime.p7s";
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="smime.p7s"
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAA
 oIIFazCCBWcwggNPoAMCAQICAxEOKjANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQK
 EwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNV
 BAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1
 cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNTA4MjMxNTE2MTVaFw0xNzA4MjIxNTE2MTVa
 MDMxFDASBgNVBAMTC01hcmMgQmFsbWVyMRswGQYJKoZIhvcNAQkBFgxtYXJjQG1z
 eXMuY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcymJ45jjvYu9E
 KjfxTT94QvtKiEes0CSUlISEGiJdbtpgW12xRBJvbYKenAuopwR7AxRGNaFTagsS
 WBXQLKWHUJI69lTekG7G71xoPuutYYf0oYZHHQgRch8wzmcYhbS/1deWOHWNaYzi
 mnqRAuSeEQvvlYeesRRXzOYSKjYWwuMWb8/Vd8uj2uNbF0AU5JOEfRMz0dcruA0z
 rbshj/h+QA7LfHXXruFOMVFw8+tQLSZdD3vSpViSjqAzcfASCiO74N1CbVkdR9Ae
 D8BlPm1iwHM2x1G0mK7vu8g1Ff7B5u+ttZ3ZUZcu3i0Kr81jxHr1oIoxskuG7Kce
 uM7bJcYLAgMBAAGjggE8MIIBODAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJ
 FkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVy
 IHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0l
 BDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMD
 BglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8v
 b2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwuY2Fj
 ZXJ0Lm9yZy9yZXZva2UuY3JsMBcGA1UdEQQQMA6BDG1hcmNAbXN5cy5jaDANBgkq
 hkiG9w0BAQ0FAAOCAgEASRdEJKAL7vzYfpyNVAovKTeo2Rb+uPmAJ/6bo2nz5rC5
 waNmzPIrySOntXEaJv79KBpuzctcZAf41pJf4osobN+YCL3bKQWWkMI8HGxGuhF/
 C4w/c02XVXpohqCGC9f9KV/2rGS7Up46QJAXNjcfqLafQoF/x5QEhZxRoa2CCon2
 P40jwUtYW16zDMdd48mnN7I3okrdBffN4KL4MIkSBrkAIo4byCMSiyLh7SdfOMZC
 QNv/MPCaz2Fq5XHDCI2a/SOYA8icsjFo5gsulAURsJ9hWntDsIKB88Hm+aTyIlmL
 BED4ThTZmNOpfyYEYnuy/GwTHB3RxVzta/WNdJpslICb6n2kAf0LXJKS7ACHyNqc
 nrHUsEki18Tp4BgBB1S8XcaAfxdttZZGfoEsr5OvyxwX+9uSg29fxjTBp4Ck3fCS
 vcHPHYRTNbuyn16qIR1soQmJkMD1X8p0eFDNtDs+7U9776yLcZmqyRsEJP4jmcqU
 +nZ8L/1ZUr6oRHwwfYiqHFKudCH1YGe1ZrjytUaDDQooJkxgAlO3HoVwO9Zo56nV
 sXnkoIvhjXnXwLXmR2M3C3r0Vlg6fqTj0Isi67e0rG7HvoVXnmitUWW5YJpkrBcW
 wOyUrDucqtDb+huW/RbGwp3v3Lr9GHEwCRAYnWczzgZaRSEPwlV/s3HpXlEOxPQx
 ggJLMIICRwIBATCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRw
 Oi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRo
 b3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwIDEQ4qMAkG
 BSsOAwIaBQCggaAwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAjBgkqhkiG9w0B
 CQQxFgQUICcHZamH1ZWKqAdv6EULaVEJ9EwwXwYJKoZIhvcNAQkPMVIwUDALBglg
 hkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC
 AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAGYc
 /OSN6RGte39okVTIuZojPotDTqqdVYCul0QXLFTtpOGgg5XQxuc8uZr3WXmlwggQ
 b6Yi7nLfjeSV87CJDslTP8v41G3dL5Lx8HDS7EKYVdbTPsQ8XuT0GQuvzijti3gS
 QWDDoCbKKX51q6lqlZvFHp1N0oWl1ylnbrnByBTc5E4L0XaK+6G8OpQP36BvqUXa
 tXxzjek318gErLjA1IaAyQSlqYsgkXjAgzMsgv1/JlBJds1kqBGSRcSvkhd4SXBS
 4L6c7KPhJ/o6H75PbosgEtg7bzD0fvhdP2VzojopmDYLQKNXhbLLKaCTTdrOJQlF
 uua5ENyx14quSBIx5BEAAAAAAAA=
 
 --7499690C-09E0-4D36-9380-6599D9FE6CD6--