From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Wed, 19 Mar 2025 15:41:08 +0000 (+0100)
Subject: BUG/MEDIUM: hlua/cli: fix cli applet UAF in hlua_applet_wakeup()
X-Git-Tag: v3.2-dev8~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=21601f4a27c4a1c8da0dbbfa22329ec1f927670e;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: hlua/cli: fix cli applet UAF in hlua_applet_wakeup()

Recent commit e5e36ce09 ("BUG/MEDIUM: hlua/cli: Fix lua CLI commands
to work with applet's buffers") revealed a bug in hlua cli applet handling

Indeed, playing with Willy's lua tetris script on the cli, a segfault
would be encountered when forcefully closing the session by sending a
CTRL+C on the terminal.

In fact the crash was caused by a UAF: while the cli applet was already
freed, the lua task responsible for waking it up would still point to it.
Thus hlua_applet_wakeup() could be called even if the applet didn't exist
anymore.

To fix the issue, in hlua_cli_io_release_fct() we must also free the hlua
task linked to the applet, like we already do for
hlua_applet_tcp_release() and hlua_applet_http_release().

While this bug exists on stable versions (where it should be backported
too for precaution), it only seems to be triggered starting with 3.0.
---

diff --git a/src/hlua.c b/src/hlua.c
index 6d5074e2c..b9fee5f3c 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -11880,6 +11880,8 @@ static void hlua_cli_io_release_fct(struct appctx *appctx)
 {
 	struct hlua_cli_ctx *ctx = appctx->svcctx;
 
+	task_destroy(ctx->task);
+	ctx->task = NULL;
 	hlua_ctx_destroy(ctx->hlua);
 	ctx->hlua = NULL;
 }