fixed use-after-free in bn.lua. #173
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
READ of size 4 at 0x60300004fba8 thread T0
#0 0x7ffff6d96fb4 in BN_get_word crypto/bn/bn_lib.c:411
fffonion#1 0x555555ca9d98 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x755d98)
fffonion#2 0x555555d7149f in lj_ccall_func /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lj_ccall.c:1402
fffonion#3 0x555555ca35b7 in lj_cf_ffi_meta___call /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lib_ffi.c:230
fffonion#4 0x555555ca7773 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x753773)
fffonion#5 0x55555599e140 in ngx_http_lua_run_thread ../ngx_lua-0.10.26.8/src/ngx_http_lua_util.c:1190
fffonion#6 0x5555559a9d21 in ngx_http_lua_content_by_chunk ../ngx_lua-0.10.26.8/src/ngx_http_lua_contentby.c:124
fffonion#7 0x55555575d41d in ngx_http_core_content_phase src/http/ngx_http_core_module.c:1269
fffonion#8 0x555555748024 in ngx_http_core_run_phases src/http/ngx_http_core_module.c:885
fffonion#9 0x55555577348d in ngx_http_process_request src/http/ngx_http_request.c:2130
fffonion#10 0x5555557749a6 in ngx_http_process_request_headers src/http/ngx_http_request.c:1529
fffonion#11 0x5555557758c4 in ngx_http_process_request_line src/http/ngx_http_request.c:1196
fffonion#12 0x55555570fb1c in ngx_epoll_process_events src/event/modules/ngx_epoll_module.c:968
fffonion#13 0x5555556e5706 in ngx_process_events_and_timers src/event/ngx_event.c:262
fffonion#14 0x55555570b323 in ngx_single_process_cycle src/os/unix/ngx_process_cycle.c:338
fffonion#15 0x555555660ef4 in main src/core/nginx.c:403
fffonion#16 0x7ffff683feaf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
fffonion#17 0x7ffff683ff5f in __libc_start_main_impl ../csu/libc-start.c:389
fffonion#18 0x5555556648f4 in _start (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x1108f4)
0x60300004fba8 is located 8 bytes inside of 24-byte region [0x60300004fba0,0x60300004fbb8)
freed by thread T0 here:
#0 0x7ffff74b46b7 in free (/lib64/libasan.so.6+0xb46b7)
fffonion#1 0x7ffff6ea66e7 in CRYPTO_free crypto/mem.c:312
fffonion#2 0x7ffff6d9810e in BN_free crypto/bn/bn_lib.c:231
fffonion#3 0x555555ca9d98 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x755d98)
fffonion#4 0x555555d7149f in lj_ccall_func /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lj_ccall.c:1402
fffonion#5 0x555555ca35b7 in lj_cf_ffi_meta___call /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lib_ffi.c:230
fffonion#6 0x555555ca7773 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x753773)
previously allocated by thread T0 here:
#0 0x7ffff74b4a07 in __interceptor_malloc (/lib64/libasan.so.6+0xb4a07)
fffonion#1 0x7ffff6ea66bc in CRYPTO_malloc crypto/mem.c:222
fffonion#2 0x7ffff6ea6807 in CRYPTO_zalloc crypto/mem.c:230
fffonion#3 0x7ffff6d96c15 in BN_new crypto/bn/bn_lib.c:246
fffonion#4 0x555555ca9d98 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x755d98)
fffonion#5 0x555555d7149f in lj_ccall_func /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lj_ccall.c:1402
fffonion#6 0x555555ca35b7 in lj_cf_ffi_meta___call /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lib_ffi.c:230
fffonion#7 0x555555ca7773 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x753773)
fffonion
approved these changes
Jul 22, 2024
|
I will merge this in #177 |
|
closing this as #177 is merged |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
READ of size 4 at 0x60300004fba8 thread T0
#0 0x7ffff6d96fb4 in BN_get_word crypto/bn/bn_lib.c:411
#1 0x555555ca9d98 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x755d98)
#2 0x555555d7149f in lj_ccall_func /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lj_ccall.c:1402
#3 0x555555ca35b7 in lj_cf_ffi_meta___call /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lib_ffi.c:230
#4 0x555555ca7773 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x753773)
#5 0x55555599e140 in ngx_http_lua_run_thread ../ngx_lua-0.10.26.8/src/ngx_http_lua_util.c:1190
#6 0x5555559a9d21 in ngx_http_lua_content_by_chunk ../ngx_lua-0.10.26.8/src/ngx_http_lua_contentby.c:124
#7 0x55555575d41d in ngx_http_core_content_phase src/http/ngx_http_core_module.c:1269
#8 0x555555748024 in ngx_http_core_run_phases src/http/ngx_http_core_module.c:885
#9 0x55555577348d in ngx_http_process_request src/http/ngx_http_request.c:2130
#10 0x5555557749a6 in ngx_http_process_request_headers src/http/ngx_http_request.c:1529
#11 0x5555557758c4 in ngx_http_process_request_line src/http/ngx_http_request.c:1196
#12 0x55555570fb1c in ngx_epoll_process_events src/event/modules/ngx_epoll_module.c:968
#13 0x5555556e5706 in ngx_process_events_and_timers src/event/ngx_event.c:262
#14 0x55555570b323 in ngx_single_process_cycle src/os/unix/ngx_process_cycle.c:338
#15 0x555555660ef4 in main src/core/nginx.c:403
#16 0x7ffff683feaf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#17 0x7ffff683ff5f in __libc_start_main_impl ../csu/libc-start.c:389
#18 0x5555556648f4 in _start (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x1108f4)
0x60300004fba8 is located 8 bytes inside of 24-byte region [0x60300004fba0,0x60300004fbb8) freed by thread T0 here:
#0 0x7ffff74b46b7 in free (/lib64/libasan.so.6+0xb46b7)
#1 0x7ffff6ea66e7 in CRYPTO_free crypto/mem.c:312
#2 0x7ffff6d9810e in BN_free crypto/bn/bn_lib.c:231
#3 0x555555ca9d98 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x755d98)
#4 0x555555d7149f in lj_ccall_func /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lj_ccall.c:1402
#5 0x555555ca35b7 in lj_cf_ffi_meta___call /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lib_ffi.c:230
#6 0x555555ca7773 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x753773)
previously allocated by thread T0 here:
#0 0x7ffff74b4a07 in __interceptor_malloc (/lib64/libasan.so.6+0xb4a07)
#1 0x7ffff6ea66bc in CRYPTO_malloc crypto/mem.c:222
#2 0x7ffff6ea6807 in CRYPTO_zalloc crypto/mem.c:230
#3 0x7ffff6d96c15 in BN_new crypto/bn/bn_lib.c:246
#4 0x555555ca9d98 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x755d98)
#5 0x555555d7149f in lj_ccall_func /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lj_ccall.c:1402
#6 0x555555ca35b7 in lj_cf_ffi_meta___call /usr/src/debug/openresty-plus-1.19.9.1.65/build/LuaJIT-plus-2.1-20240710/src/lib_ffi.c:230
#7 0x555555ca7773 (/usr/local/openresty-plus-asan/nginx/sbin/nginx+0x753773)