CVE-2022-33099 Overview
CVE-2022-33099 is a heap-buffer overflow vulnerability affecting Lua versions 5.4.4 and earlier. The flaw exists in the luaG_runerror component and is triggered when a recursive error occurs during error handling. This vulnerability allows remote attackers to cause a denial of service condition by crafting inputs that trigger recursive error conditions, leading to memory corruption and application crashes.
Critical Impact
Remote attackers can exploit this heap-buffer overflow to crash Lua-embedded applications, causing denial of service. Systems running vulnerable Lua versions are at risk when processing untrusted input.
Affected Products
- Lua versions 5.4.4 and below
- Fedora 35
- Fedora 36
Discovery Timeline
- 2022-07-01 - CVE-2022-33099 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-33099
Vulnerability Analysis
The vulnerability stems from improper stack management in Lua's error handling mechanisms. When the C stack overflows while handling an error, the Lua stack can also overflow, resulting in a heap-buffer overflow condition. This occurs specifically in the luaG_runerror function within ldebug.c and related string concatenation operations in lvm.c.
The flaw is classified under CWE-787 (Out-of-bounds Write), indicating that the vulnerability allows writing data beyond allocated memory boundaries. This type of memory corruption can lead to application crashes and denial of service when triggered by recursive error conditions.
Root Cause
The root cause lies in insufficient stack space management during error handling. When luaG_runerror is called and the code path adds source and line information via luaG_addinfo(), the temporary message object remains on the stack unnecessarily. In recursive error scenarios, this accumulates and eventually causes a heap-buffer overflow. Similarly, string concatenation operations in the virtual machine did not properly pop strings from the stack before raising length overflow errors.
Attack Vector
An attacker can exploit this vulnerability remotely by providing malicious Lua scripts or inputs that trigger recursive error conditions. Since Lua is commonly embedded in applications for scripting capabilities (game engines, web servers, configuration systems), any application accepting untrusted Lua code or inputs that can trigger deep recursion during error handling is potentially vulnerable.
The attack can be executed over the network without requiring authentication or user interaction, making it particularly dangerous for internet-facing services.
// Security patch in ldebug.c - Save stack space while handling errors
// Source: https://github.com/lua/lua/commit/42d40581dd919fb134c07027ca1ce0844c670daf
va_start(argp, fmt);
msg = luaO_pushvfstring(L, fmt, argp); /* format message */
va_end(argp);
- if (isLua(ci)) /* if Lua function, add source:line information */
+ if (isLua(ci)) { /* if Lua function, add source:line information */
luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci));
+ setobjs2s(L, L->top - 2, L->top - 1); /* remove 'msg' from the stack */
+ L->top--;
+ }
luaG_errormsg(L);
}
// Security patch in lvm.c - Save stack space while handling errors
// Source: https://github.com/lua/lua/commit/42d40581dd919fb134c07027ca1ce0844c670daf
/* collect total length and number of strings */
for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
size_t l = vslen(s2v(top - n - 1));
- if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl))
+ if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
+ L->top = top - total; /* pop strings to avoid wasting stack */
luaG_runerror(L, "string length overflow");
+ }
tl += l;
}
if (tl <= LUAI_MAXSHORTLEN) { /* is result a short string? */
Detection Methods for CVE-2022-33099
Indicators of Compromise
- Unexpected crashes in applications embedding Lua with stack overflow or heap corruption error messages
- Core dumps showing memory corruption in luaG_runerror, luaG_addinfo, or luaG_errormsg functions
- Abnormal memory consumption patterns in Lua-embedded applications preceding crashes
- Log entries indicating recursive error conditions or stack overflow exceptions
Detection Strategies
- Monitor application logs for Lua runtime errors related to stack overflow or memory allocation failures
- Implement memory bounds checking and sanitizers (AddressSanitizer) in development and testing environments
- Deploy application-level monitoring to detect unusual patterns of nested error conditions
- Use intrusion detection systems to identify potentially malicious Lua scripts targeting recursive error conditions
Monitoring Recommendations
- Configure crash reporting and analysis for Lua-embedded applications to capture heap-buffer overflow events
- Establish baseline memory usage patterns and alert on anomalies that may indicate exploitation attempts
- Monitor system resources (memory, CPU) for applications processing Lua scripts from untrusted sources
- Implement structured logging to capture Lua error handling depth and frequency
How to Mitigate CVE-2022-33099
Immediate Actions Required
- Upgrade Lua to a patched version that includes commit 42d40581dd919fb134c07027ca1ce0844c670daf or later
- Review and restrict execution of Lua scripts from untrusted sources
- Implement input validation and sandboxing for applications accepting Lua code
- Monitor affected systems for signs of denial of service attacks until patching is complete
Patch Information
The vulnerability has been addressed by the Lua development team through commit 42d40581dd919fb134c07027ca1ce0844c670daf. The fix properly manages stack space during error handling by removing the temporary message object from the stack after adding source information, and by popping strings before raising length overflow errors in string concatenation operations.
For Fedora users, updated packages are available through the standard package management system. Refer to the Fedora package announcements for distribution-specific guidance.
Workarounds
- Implement resource limits on Lua script execution to prevent deep recursion scenarios
- Use Lua sandboxing mechanisms to restrict potentially dangerous operations in untrusted scripts
- Deploy application-level error handling to catch and safely terminate recursive error conditions
- Consider disabling or restricting Lua functionality in internet-facing services until patching is possible
# Configuration example - Check Lua version and update on Fedora systems
lua -v
# If version is 5.4.4 or below, update:
sudo dnf update lua
# For systems building Lua from source, ensure the latest
# patched version is compiled with the security fix
git clone https://github.com/lua/lua.git
cd lua
# Verify patch is present
git log --oneline | grep 42d40581
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
