From 2453f9035007e69ab63e0b2268f42bbefb3c90f3 Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Fri, 14 Oct 2022 16:41:56 -0400 Subject: [PATCH] Fix theoretical array overflow in lua_typename() Out of the 12 defects in lua that coverity reports, 5 of them involve `lua_typename()` and out of the dozens of defects in ZFS that lua reports, 3 of them involve `lua_typename()` due to the ZCP code. Given all of the uses of `lua_typename()` in the ZCP code, I was surprised that there were not more. It appears that only 2 were reported because only 3 called `lua_type()`, which does a defective sanity check that allows invalid types to be passed. lua/lua@d4fb848be77f4b0209acaf37a5b5e1cee741ddce addressed this in upstream lua 5.3. Unfortunately, we did not get that fix since we use lua 5.2 and we do not have assertions enabled in lua, so the upstream solution would not do anything. While we could adopt the upstream solution and enable assertions, a simpler solution is to fix the issue by making `lua_typename()` return `internal_type_error` whenever it is called with an invalid type. This avoids the array overflow and if we ever see it appear somewhere, we will know there is a problem with the lua interpreter. Reviewed-by: Brian Behlendorf Signed-off-by: Richard Yao Closes #13947 --- module/lua/lapi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/module/lua/lapi.c b/module/lua/lapi.c index 6a845c4610..75f8b2a1dd 100644 --- a/module/lua/lapi.c +++ b/module/lua/lapi.c @@ -251,6 +251,8 @@ LUA_API int lua_type (lua_State *L, int idx) { LUA_API const char *lua_typename (lua_State *L, int t) { UNUSED(L); + if (t > 8 || t < 0) + return "internal_type_error"; return ttypename(t); }