From c57e5e58e197fca322c2840efa435eabb62e4d9d Mon Sep 17 00:00:00 2001 From: ame Date: Thu, 11 Jul 2024 12:27:06 -0500 Subject: fixes to ub:33 hashes now safe --- src/crypto.h | 8 ++++++- src/hash/blake.c | 20 ++++++++++++++++-- src/hash/blake2.c | 9 ++++---- src/hash/md5.c | 1 - src/lua.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++----- src/lua.h | 2 ++ src/thread.c | 13 ++++++------ 7 files changed, 96 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/src/crypto.h b/src/crypto.h index 410b282..b3b0609 100644 --- a/src/crypto.h +++ b/src/crypto.h @@ -90,6 +90,12 @@ int _##luaname##_common_hash(lua_State* L){\ struct hashname##_hash* a = (struct hashname##_hash*)lua_newuserdata(L, sizeof * a);\ int ud = lua_gettop(L);\ *a = initf;\ + int ini = lua_gettop(L);\ + lua_newtable(L);\ + lua_setfield(L, LUA_REGISTRYINDEX, lua_topointer(L, ud));\ + lua_getfield(L, LUA_REGISTRYINDEX, lua_topointer(L, ud));\ + int i;\ + for(i = ud; i != ini; i++) luaI_tsetv(L, ini + 1, lua_topointer(L, i), i);\ lua_common_hash_meta_def(luaname);\ lua_pushvalue(L, ud);\ return 1;\ @@ -166,7 +172,7 @@ static const luaL_Reg crypto_function_list [] = { {"base64decode",l_base64decode}, {"baseconvert",l_baseconvert}, - + {NULL,NULL} }; diff --git a/src/hash/blake.c b/src/hash/blake.c index 76b6680..4c6d284 100644 --- a/src/hash/blake.c +++ b/src/hash/blake.c @@ -206,8 +206,11 @@ void _blake256_final(struct blake256_hash* hash, char* out_stream){ void blake256_final(struct blake256_hash* hash, char* out_stream){ uint8_t old[bs]; struct blake256_hash old_hash; + uint32_t hhash[8]; + memcpy(&old_hash, hash, sizeof * hash); - memcpy(old, hash->buffer, bs); + memcpy(old, hash->buffer, bs * sizeof * old); + memcpy(hhash, hash->hash, sizeof * hhash * 8); if(hash->bufflen == 55) hash->buffer[hash->bufflen] = 0x81; else hash->buffer[bs - 9] = 0x01; @@ -219,14 +222,18 @@ void blake256_final(struct blake256_hash* hash, char* out_stream){ } memcpy(hash, &old_hash, sizeof * hash); - memcpy(hash->buffer, old, bs); + memcpy(hash->buffer, old, bs * sizeof * old); + memcpy(hash->hash, hhash, sizeof * hhash * 8); } void blake224_final(struct blake256_hash* hash, char* out_stream){ uint8_t old[bs]; struct blake256_hash old_hash; + uint32_t hhash[8]; + memcpy(&old_hash, hash, sizeof * hash); memcpy(old, hash->buffer, bs); + memcpy(hhash, hash->hash, sizeof * hhash * 8); if(hash->bufflen == 55) hash->buffer[hash->bufflen] = 0x80; else hash->buffer[bs - 9] = 0x00; @@ -239,6 +246,7 @@ void blake224_final(struct blake256_hash* hash, char* out_stream){ memcpy(hash, &old_hash, sizeof * hash); memcpy(hash->buffer, old, bs); + memcpy(hash->hash, hhash, sizeof * hhash * 8); } void blake256(char *out, char *in, uint64_t inlen){ @@ -418,8 +426,11 @@ void _blake512_final(struct blake512_hash* hash, char* out_stream){ void blake512_final(struct blake512_hash* hash, char* out_stream){ uint8_t old[bs_2]; struct blake512_hash old_hash; + uint64_t hhash[8]; + memcpy(&old_hash, hash, sizeof * hash); memcpy(old, hash->buffer, bs_2); + memcpy(hhash, hash->hash, sizeof * hhash * 8); if(hash->bufflen == 111) hash->buffer[hash->bufflen] = 0x81; else hash->buffer[bs_2 - 17] = 0x01; @@ -432,6 +443,7 @@ void blake512_final(struct blake512_hash* hash, char* out_stream){ memcpy(hash, &old_hash, sizeof * hash); memcpy(hash->buffer, old, bs_2); + memcpy(hash->hash, hhash, sizeof * hhash * 8); } void blake512(uint8_t* in, size_t len, char* out){ @@ -445,8 +457,11 @@ void blake512(uint8_t* in, size_t len, char* out){ void blake384_final(struct blake384_hash* hash, char* out_stream){ uint8_t old[bs_2]; struct blake384_hash old_hash; + uint64_t hhash[8]; + memcpy(&old_hash, hash, sizeof * hash); memcpy(old, hash->buffer, bs_2); + memcpy(hhash, hash->hash, sizeof * hhash * 8); if(hash->bufflen == 111) hash->buffer[hash->bufflen] = 0x80; else hash->buffer[bs_2 - 17] = 0x00; @@ -459,6 +474,7 @@ void blake384_final(struct blake384_hash* hash, char* out_stream){ memcpy(hash, &old_hash, sizeof * hash); memcpy(hash->buffer, old, bs_2); + memcpy(hash->hash, hhash, sizeof * hhash * 8); } void blake384(uint8_t* in, size_t len, char* out){ diff --git a/src/hash/blake2.c b/src/hash/blake2.c index 9507c96..95d878f 100644 --- a/src/hash/blake2.c +++ b/src/hash/blake2.c @@ -221,10 +221,11 @@ void blake2b_update(uint8_t* input, size_t len, struct blake2b_hash* hash){ void blake2b_final(struct blake2b_hash* hash, char* out_stream){ uint8_t old[bs_2]; - uint32_t hashh[8]; + uint64_t hashh[8]; struct blake2b_hash old_hash; + memcpy(&old_hash, hash, sizeof * hash); - memcpy(old, hash->buffer, bs_2); + memcpy(old, hash->buffer, bs_2 * sizeof * old); memcpy(hashh, hash->hash, 8 * sizeof * hashh); hash->compressed += hash->bufflen; @@ -234,7 +235,7 @@ void blake2b_final(struct blake2b_hash* hash, char* out_stream){ for(int i = 0; i != hash->digest_len; i++)sprintf(out_stream + i * 2, "%02x", (((uint8_t*)hash->hash)[i])); memcpy(hash, &old_hash, sizeof * hash); - memcpy(hash->buffer, old, bs_2); + memcpy(hash->buffer, old, bs_2 * sizeof * old); memcpy(hash->hash, hashh, 8 * sizeof * hashh); } @@ -531,4 +532,4 @@ int l_blake2s(lua_State* L){ lua_pushstring(L, digest); return 1; -} \ No newline at end of file +} diff --git a/src/hash/md5.c b/src/hash/md5.c index 78211cd..1b3f508 100644 --- a/src/hash/md5.c +++ b/src/hash/md5.c @@ -37,7 +37,6 @@ struct md5_hash md5_init_l(lua_State* L){ void md5_round(struct md5_hash* hash){ uint32_t* M = (uint32_t *)(hash->buffer); - uint32_t A = hash->a0; uint32_t B = hash->b0; uint32_t C = hash->c0; diff --git a/src/lua.c b/src/lua.c index 8a39af1..5e083cc 100644 --- a/src/lua.c +++ b/src/lua.c @@ -54,7 +54,6 @@ void luaI_deepcopy(lua_State* src, lua_State* dest, enum deep_copy_flags flags){ int old_top = lua_gettop(src); int modi = 0; -#define q lua_pushnumber(dest, 5); break; switch(lua_type(src, -1)){ case LUA_TNUMBER: n = lua_tonumber(src, -1); @@ -62,8 +61,6 @@ void luaI_deepcopy(lua_State* src, lua_State* dest, enum deep_copy_flags flags){ else lua_pushnumber(dest, n); break; case LUA_TSTRING:; - //seems to have some "ub" here, lua_pushlstring can overrite arbitrary data? - //has a chance to override other userdata, still testing this size_t slen; const char* ss = lua_tolstring(src, -1, &slen); lua_pushlstring(dest, ss, slen); @@ -142,7 +139,7 @@ void luaI_deepcopy(lua_State* src, lua_State* dest, enum deep_copy_flags flags){ break; default: printf("unknown type %i\n",lua_type(src, -1)); - lua_pushnil(dest); + lua_pushnumber(dest, 5); break; } int tidx = lua_gettop(dest); @@ -154,7 +151,62 @@ void luaI_deepcopy(lua_State* src, lua_State* dest, enum deep_copy_flags flags){ lua_settop(dest, tidx); } - lua_settop(src, aa); + lua_settop(src, old_top); +} + +void luaI_deepcopy2(lua_State* src, lua_State* dest){ + switch(lua_type(src, -1)){ + case LUA_TNUMBER: + lua_pushinteger(dest, lua_tointeger(src, -1)); + break; + + case LUA_TSTRING:; + size_t size = 0; + const char* str = lua_tolstring(src, -1, &size); + lua_pushlstring(dest, str, size); + break; + + case LUA_TTABLE:; + const void* p = lua_topointer(src, -1); + char* p_string = calloc(80, sizeof * p_string); + sprintf(p_string, "%p", p); + + //lua_getfield(dest, LUA_REGISTRYINDEX, p_string); + lua_pushstring(dest, p_string); + lua_gettable(dest, LUA_REGISTRYINDEX); + if(!lua_isnil(dest, -1)){ + break; + } + + lua_pop(dest, 1); + lua_pushstring(dest, p_string); + lua_newtable(dest); + //lua_setfield(dest, LUA_REGISTRYINDEX, p_string); + //lua_getfield(dest, LUA_REGISTRYINDEX, p_string); + lua_settable(dest, LUA_REGISTRYINDEX); + + lua_pushstring(dest, p_string); + lua_gettable(dest, LUA_REGISTRYINDEX); + + free(p_string); + + int src_top = lua_gettop(src); + int dest_top = lua_gettop(dest); + + lua_pushnil(src); + for(;lua_next(src, src_top) != 0;){ + luaI_deepcopy2(src, dest); + lua_pop(src, 1); + luaI_deepcopy2(src, dest); + + lua_settable(dest, dest_top); + } + break; + + default: + lua_pushinteger(dest, 4); + break; + } } /** diff --git a/src/lua.h b/src/lua.h index 3328db5..45f1748 100644 --- a/src/lua.h +++ b/src/lua.h @@ -16,6 +16,8 @@ void* __malloc_(size_t); void __free_(void*); void luaI_deepcopy(lua_State* src, lua_State* dest, enum deep_copy_flags); +void luaI_deepcopy2(lua_State* src, lua_State* dest); + void lua_set_global_table(lua_State*); //todo: char* _luaL_tolstring(lua_State*, int, size_t*); diff --git a/src/thread.c b/src/thread.c index 5b3cb11..e6858f5 100644 --- a/src/thread.c +++ b/src/thread.c @@ -180,10 +180,8 @@ int l_async(lua_State* oL){ lua_getglobal(oL, "_G"); luaI_deepcopy(oL, L, SKIP_GC); - //lua_set_global_table(L); - - return 0; - + lua_set_global_table(L); + struct thread_info* args = calloc(1, sizeof * args); args->L = L; //args->lock = (pthread_mutex_t)PTHREAD_MUTEX_INITIALIZER; @@ -344,11 +342,14 @@ int l_buffer(lua_State* L){ return 1; } +void _lua_getfenv(lua_State* L){ + +} int l_testcopy(lua_State* L){ lua_settop(L, 0); + + lua_State* temp = luaL_newstate(); - lua_getglobal(L, "_G"); - luaI_deepcopy(L, temp, SKIP_GC); //luaI_deepcopy(temp, L, NULL, SKIP_GC); lua_close(temp); return 1; -- cgit v1.2.3