From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Tue, 8 Oct 2024 09:34:10 +0000 (+0200)
Subject: BUG/MEDIUM: hlua: make hlua_ctx_renew() safe
X-Git-Tag: v3.1-dev10~108
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0e01051813bde5cb06bebe88102f2b2885b3dea;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: hlua: make hlua_ctx_renew() safe

hlua_ctx_renew() is called from unsafe places where the caller doesn't
expect it to LJMP.. however hlua_ctx_renew() makes use of Lua library
function that could potentially raise errors, such as lua_newthread(),
and it does nothing to catch errors. Because of this, haproxy could
unexpectedly crash. This was discovered and reported by GH user
@JB0925 on #2745.

To fix the issue, let's simply make hlua_ctx_renew() safe by applying
the same logic implemented for hlua_ctx_init() or hlua_ctx_destroy(),
which is catching Lua errors by leveraging SET_SAFE_LJMP_PARENT() helper.

It should be backported to all stable versions.
---

diff --git a/src/hlua.c b/src/hlua.c
index 96773a86a7..eab77324ca 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -1811,10 +1811,15 @@ static int hlua_ctx_renew(struct hlua *lua, int keep_msg)
 	lua_State *T;
 	int new_ref;
 
+	if (!SET_SAFE_LJMP_PARENT(lua))
+		return 0;
+
 	/* New Lua coroutine. */
 	T = lua_newthread(hlua_states[lua->state_id]);
-	if (!T)
+	if (!T) {
+		RESET_SAFE_LJMP_PARENT(lua);
 		return 0;
+	}
 
 	/* Copy last error message. */
 	if (keep_msg)
@@ -1836,6 +1841,8 @@ static int hlua_ctx_renew(struct hlua *lua, int keep_msg)
 	lua->T = T;
 	lua->Tref = luaL_ref(hlua_states[lua->state_id], LUA_REGISTRYINDEX);
 
+	RESET_SAFE_LJMP_PARENT(lua);
+
 	/* Set context. */
 	hlua_sethlua(lua);