On Tue, Apr 07, 2026 at 09:48:13AM +0200, Greg Kroah-Hartman wrote:
> Subject: [PATCH 08/10] BUG: hlua: fix format-string vulnerability in Patref
> error path
> hlua_error() is a printf-family function (calls vsnprintf), but
> hlua_patref_set, hlua_patref_add, and _hlua_patref_add_bulk pass
> errmsg directly as the format string. errmsg is built by pattern.c
> helpers that embed the user-supplied key or value verbatim, e.g.
> pat_ref_set_elt() generates "unable to parse '<value>'".
>
> A Lua script calling:
>
> ref:set("key", "%p.%p.%p.%p.%p.%p.%p.%p")
>
> against a map with an integer output type (where the parse fails)
> gets stack/register contents formatted into the (nil, err) return
> value -> ASLR/canary leak. With %n and no _FORTIFY_SOURCE this
> becomes an arbitrary write primitive.
>
> Combined with the httpclient stack overflow (commit de764e64fa44),
> the leak defeats stack canaries to achieve reliable RCE.
>
> This must be backported as far as the Patref Lua API exists.
Merged as a BUG/MINOR, thanks!
--
William Lallemand
