upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-04-21 14:17:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

BUG/MINOR: hlua: fix format-string vulnerability in Patref error path

Browse source 
hlua_error() is a printf-family function (calls vsnprintf), but
hlua_patref_set, hlua_patref_add, and _hlua_patref_add_bulk pass
errmsg directly as the format string. errmsg is built by pattern.c
helpers that embed the user-supplied key or value verbatim, e.g.
pat_ref_set_elt() generates "unable to parse '<value>'".

A Lua script calling:

    ref:set("key", "%p.%p.%p.%p.%p.%p.%p.%p")

against a map with an integer output type (where the parse fails)
gets stack/register contents formatted into the (nil, err) return
value -> ASLR/canary leak. With %n and no _FORTIFY_SOURCE this
becomes an arbitrary write primitive.

This must be backported as far as the Patref Lua API exists.
This commit is contained in:
Greg Kroah-Hartman 2026-04-07 09:48:13 +02:00 committed by William Lallemand
parent 2db801c635
commit d6284470e4
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/hlua_fcn.c
View file

@ -2870,7 +2870,7 @@ int hlua_patref_add(lua_State *L)
if (!ret) {
ret = hlua_error(L, errmsg);
ret = hlua_error(L, "%s", errmsg);
ha_free(&errmsg);
return ret;
}
@ -2919,7 +2919,7 @@ static int _hlua_patref_add_bulk(lua_State *L, int status, lua_KContext ctx)
if (!pat_ref_load(ref->ptr, curr_gen, key, value, -1, &errmsg)) {
HA_RWLOCK_WRUNLOCK(PATREF_LOCK, &ref->ptr->lock);
ret = hlua_error(L, errmsg);
ret = hlua_error(L, "%s", errmsg);
ha_free(&errmsg);
return ret;
}
@ -3023,7 +3023,7 @@ int hlua_patref_set(lua_State *L)
HA_RWLOCK_WRUNLOCK(PATREF_LOCK, &ref->ptr->lock);
if (!ret) {
ret = hlua_error(L, errmsg);
ret = hlua_error(L, "%s", errmsg);
ha_free(&errmsg);
return ret;
}