Fix theoretical array overflow in lua_typename()
2453f9035007
Actions

Description

Fix theoretical array overflow in lua_typename()

Out of the 12 defects in lua that coverity reports, 5 of them involve
lua_typename() and out of the dozens of defects in ZFS that lua
reports, 3 of them involve lua_typename() due to the ZCP code. Given
all of the uses of lua_typename() in the ZCP code, I was surprised
that there were not more. It appears that only 2 were reported because
only 3 called lua_type(), which does a defective sanity check that
allows invalid types to be passed.

lua/lua@d4fb848be77f4b0209acaf37a5b5e1cee741ddce addressed this in
upstream lua 5.3. Unfortunately, we did not get that fix since we use
lua 5.2 and we do not have assertions enabled in lua, so the upstream
solution would not do anything.

While we could adopt the upstream solution and enable assertions, a
simpler solution is to fix the issue by making lua_typename() return
internal_type_error whenever it is called with an invalid type. This
avoids the array overflow and if we ever see it appear somewhere, we
will know there is a problem with the lua interpreter.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13947

Details

Provenance

Richard Yao <richard.yao@alumni.stonybrook.edu>	Authored on Oct 14 2022, 8:41 PM
Tony Hutter <hutter2@llnl.gov>	Committed on Dec 1 2022, 8:39 PM

Parents

rGd016ca1a9203: Fix potential NULL pointer dereference in lzc_ioctl()

Branches

Unknown

Tags

Unknown

Event Timeline

Tony Hutter <hutter2@llnl.gov> committed rG2453f9035007: Fix theoretical array overflow in lua_typename() (authored by Richard Yao <richard.yao@alumni.stonybrook.edu>).Dec 1 2022, 8:39 PM

Changes (1)

Path

Size

module/

lua/

lapi.c

rG2453f9035007

View Options