From: Jo Johnson Date: Mon, 29 Jan 2024 16:56:53 +0000 (-0800) Subject: lua: Add config override for lua sandbox limits X-Git-Tag: suricata-8.0.0-beta1~1264 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e946b20e0f17bfe3d01014dcd32f578b738699a1;p=thirdparty%2Fsuricata.git lua: Add config override for lua sandbox limits --- diff --git a/src/detect-lua.c b/src/detect-lua.c index 023aee82ba..360b61b20d 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -98,9 +98,6 @@ static void DetectLuaRegisterTests(void); static void DetectLuaFree(DetectEngineCtx *, void *); static int g_smtp_generic_list_id = 0; -// TODO: move to config -static const uint64_t g_lua_alloc_limit = 500000, g_lua_instruction_limit = 500000; - /** * \brief Registration function for keyword: lua */ @@ -153,6 +150,10 @@ void DetectLuaRegister(void) #define FLAG_DATATYPE_BUFFER BIT_U32(22) #define FLAG_ERROR_LOGGED BIT_U32(23) +// TODO: move to config +#define DEFAULT_LUA_ALLOC_LIMIT 500000 +#define DEFAULT_LUA_INSTRUCTION_LIMIT 500000 + #if 0 /** \brief dump stack from lua state to screen */ void LuaDumpStack(lua_State *state) @@ -483,7 +484,7 @@ static void *DetectLuaThreadInit(void *data) t->alproto = lua->alproto; t->flags = lua->flags; - t->luastate = sb_newstate(g_lua_alloc_limit, g_lua_instruction_limit); + t->luastate = sb_newstate(lua->alloc_limit, lua->instruction_limit); if (t->luastate == NULL) { SCLogError("luastate pool depleted"); goto error; @@ -585,7 +586,7 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld, const { int status; - lua_State *luastate = sb_newstate(g_lua_alloc_limit, g_lua_instruction_limit); + lua_State *luastate = sb_newstate(ld->alloc_limit, ld->instruction_limit); if (luastate == NULL) return -1; luaL_openlibs(luastate); // TODO: get sandbox config and load appropriate libs @@ -902,6 +903,14 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st if (lua == NULL) goto error; + /* Load lua sandbox configurations */ + intmax_t lua_alloc_limit = DEFAULT_LUA_ALLOC_LIMIT; + intmax_t lua_instruction_limit = DEFAULT_LUA_INSTRUCTION_LIMIT; + (void)ConfGetInt("security.lua.max-bytes", &lua_alloc_limit); + (void)ConfGetInt("security.lua.max-instructions", &lua_instruction_limit); + lua->alloc_limit = lua_alloc_limit; + lua->instruction_limit = lua_instruction_limit; + if (DetectLuaSetupPrime(de_ctx, lua, s) == -1) { goto error; } diff --git a/src/detect-lua.h b/src/detect-lua.h index 104c631fe3..5ec3c01022 100644 --- a/src/detect-lua.h +++ b/src/detect-lua.h @@ -55,6 +55,8 @@ typedef struct DetectLuaData { uint32_t sid; uint32_t rev; uint32_t gid; + uint64_t alloc_limit; + uint64_t instruction_limit; } DetectLuaData; #endif /* HAVE_LUA */ diff --git a/src/util-lua-sandbox.c b/src/util-lua-sandbox.c index 0fcb1dd2c1..f0c1b7ea0f 100644 --- a/src/util-lua-sandbox.c +++ b/src/util-lua-sandbox.c @@ -64,8 +64,9 @@ static void *sb_alloc(void *ud, void *ptr, size_t osize, size_t nsize) return NULL; } void *nptr = SCRealloc(ptr, nsize); - - ctx->alloc_bytes += nsize; + if (nptr != NULL) { + ctx->alloc_bytes += nsize; + } return nptr; } } @@ -77,7 +78,7 @@ static const luaL_Reg sb_restrictedlibs[] = { { LUA_GNAME, luaopen_base }, // {LUA_LOADLIBNAME, luaopen_package}, // {LUA_COLIBNAME, luaopen_coroutine}, { LUA_TABLIBNAME, luaopen_table }, - //{LUA_IOLIBNAME, luaopen_io}, + // {LUA_IOLIBNAME, luaopen_io}, // {LUA_OSLIBNAME, luaopen_os}, { LUA_STRLIBNAME, luaopen_string }, { LUA_MATHLIBNAME, luaopen_math }, { LUA_UTF8LIBNAME, luaopen_utf8 }, @@ -144,7 +145,7 @@ lua_State *sb_newstate(uint64_t alloclimit, uint64_t instructionlimit) sb->L = lua_newstate(sb_alloc, sb); /* create state */ if (sb->L == NULL) { // TODO: log or error code? - free(sb); + SCFree(sb); return NULL; }