Page MenuHomePhabricator

Add a unit test to Scribunto testing it is not vulnerable to CVE-2014-5461
Open, Needs TriagePublic

Description

Lua 5.1.5 has an overflow vulnerability that we are manually patching. Since we are manually patching, we should write a test to ensure that we actually do patch it.

Basically, this task is to write a unit test that runs the following Lua code:

function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
            p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
            p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
            p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
            p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
   local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
   f(...)
end
f(17)

(Based on the POC at https://bugzilla.redhat.com/show_bug.cgi?id=1132304#c8 )

The expected outcome of this test, is a lua error about a stack overflow. In the event of the vulnerability you would get a segfault instead. (To test this, try running that code from the command line using the shipped binaries in the current version of the extension in Scribunto/includes/engines/LuaStandalone/binaries vs the binaries from 00ed2a567b897d890e943a662836f4cc140de33a^ (note the ^ at the end is important here) in Scribunto/engines/LuaStandalone/binaries (Note the path has changed between versions).

Your task is to write a test that executes this code, and ensures that we don't segfault. See Scribunto/tests/phpunit/engines/LuaCommon for examples of other lua unit tests.

Note that the above code might exit with a "stack overflow" error or a "not enough memory" error, depending on the details of the execution environment. The added test must pass for either error, or must control the execution environment to guarantee one or the other error.

Event Timeline

Bawolff created this task.Nov 11 2018, 1:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 11 2018, 1:03 PM

Change 475586 had a related patch set uploaded (by Mogmog123; owner: Mogmog123):
[mediawiki/extensions/Scribunto@master] Adding a unit test for CVE-2014-5461 in Scribunto.

https://gerrit.wikimedia.org/r/475586

Change 475586 merged by jenkins-bot:
[mediawiki/extensions/Scribunto@master] Adding a unit test for CVE-2014-5461 in Scribunto.

https://gerrit.wikimedia.org/r/475586

Change 476857 had a related patch set uploaded (by Lucas Werkmeister (WMDE); owner: Lucas Werkmeister (WMDE)):
[mediawiki/extensions/Scribunto@master] Revert "Adding a unit test for CVE-2014-5461 in Scribunto."

https://gerrit.wikimedia.org/r/476857

Change 476857 merged by jenkins-bot:
[mediawiki/extensions/Scribunto@master] Revert "Adding a unit test for CVE-2014-5461 in Scribunto."

https://gerrit.wikimedia.org/r/476857

Anomie updated the task description. (Show Details)Nov 30 2018, 6:45 PM
Anomie added a subscriber: Anomie.

I updated the description to note that a successful implementation must not re-cause T210634.

Anomie updated the task description. (Show Details)Nov 30 2018, 6:47 PM