CVE-2022-28805 Overview
CVE-2022-28805 is an Out-of-Bounds Read vulnerability affecting the singlevar function in lparser.c within Lua versions 5.4.0 through 5.4.3. The vulnerability stems from a missing luaK_exp2anyregup call, which leads to a heap-based buffer over-read condition. This flaw can impact systems that compile untrusted Lua code, potentially enabling attackers to read sensitive memory contents or cause application crashes.
Critical Impact
Attackers exploiting this vulnerability can cause information disclosure through memory over-reads or trigger denial of service conditions on systems processing untrusted Lua scripts.
Affected Products
- Lua versions 5.4.0 through 5.4.3
- Fedora 35
- Fedora 36
Discovery Timeline
- 2022-04-08 - CVE-2022-28805 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-28805
Vulnerability Analysis
This vulnerability exists in the Lua parser component, specifically within the singlevar function located in lparser.c. When the _ENV environment variable is declared as <const>, the code fails to properly handle the expression through the luaK_exp2anyregup function. This oversight causes the Lua compiler to generate incorrect code, resulting in a heap-based buffer over-read condition.
The vulnerability is classified as CWE-125 (Out-of-Bounds Read), indicating that the program reads data past the boundary of the allocated buffer. This can lead to exposure of sensitive information stored in adjacent memory locations or cause the application to crash when accessing invalid memory addresses.
Systems that accept and compile untrusted Lua code are particularly at risk. The vulnerability can be triggered remotely via network-accessible Lua interpreters or applications embedding Lua scripting functionality.
Root Cause
The root cause lies in the singlevar function within lparser.c. When resolving variable references and the _ENV environment variable is marked as constant (<const>), the function fails to call luaK_exp2anyregup to properly handle the expression. This missing function call results in the Lua code generator producing incorrect bytecode that can cause out-of-bounds memory access during execution.
Attack Vector
An attacker can exploit this vulnerability by providing specially crafted Lua code to a vulnerable Lua interpreter or application. The attack requires the ability to submit Lua code for compilation, which is common in:
- Game engines with Lua scripting support
- Embedded systems using Lua for configuration
- Web applications with Lua-based templating or scripting
- Redis instances with Lua scripting enabled
The vulnerability can be exploited remotely without authentication if the target system accepts untrusted Lua code over the network.
expdesc key;
singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
lua_assert(var->k != VVOID); /* this one must exist */
+ luaK_exp2anyregup(fs, var); /* but could be a constant */
codestring(&key, varname); /* key is variable name */
luaK_indexed(fs, var, &key); /* env[varname] */
}
Source: GitHub Commit 1f3c6f4534c6411313361697d98d1145a1f030fa
The patch adds the missing luaK_exp2anyregup(fs, var) call to ensure proper handling when _ENV is declared as a constant, preventing the buffer over-read condition.
Detection Methods for CVE-2022-28805
Indicators of Compromise
- Unexpected crashes or segmentation faults in Lua-based applications
- Memory access violations logged in system crash dumps referencing lparser.c functions
- Anomalous Lua script submissions containing unusual _ENV declarations with <const> modifiers
- Increased memory read errors in applications processing Lua code
Detection Strategies
- Monitor application logs for Lua interpreter crashes or memory access violations
- Implement input validation to detect and block potentially malicious Lua code patterns
- Deploy runtime application self-protection (RASP) to detect memory corruption attempts
- Use static analysis tools to identify Lua code with unusual _ENV constant declarations
Monitoring Recommendations
- Enable verbose logging for Lua interpreter components to capture parsing errors
- Implement network monitoring for unusual Lua code submissions to affected services
- Configure memory protection mechanisms (ASLR, DEP) to mitigate exploitation impact
- Monitor package management systems for Lua version updates and security patches
How to Mitigate CVE-2022-28805
Immediate Actions Required
- Upgrade Lua to version 5.4.4 or later immediately
- Audit systems to identify all instances of Lua 5.4.0 through 5.4.3
- Restrict access to Lua scripting interfaces from untrusted sources
- Implement input validation for Lua code submitted to your applications
Patch Information
The vulnerability has been fixed in Lua version 5.4.4. The official patch is available in the Lua GitHub repository commit 1f3c6f4534c6411313361697d98d1145a1f030fa. Linux distributions have also released security updates:
- Fedora 35 and 36 users should apply the latest Lua package updates via the Fedora Package Announcements
- Gentoo users should reference GLSA 202305-23
Workarounds
- Disable Lua scripting functionality in affected applications if not required
- Implement sandboxing to isolate Lua execution environments from sensitive system resources
- Apply network segmentation to prevent untrusted users from accessing Lua-enabled services
- Use application firewalls to filter and inspect Lua code submissions
# Check installed Lua version
lua -v
# Update Lua on Fedora systems
sudo dnf update lua
# Update Lua on Gentoo systems
sudo emerge --sync && sudo emerge -av dev-lang/lua
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
