Return of Stack Address Vulnerability (CWE-562) in lj_cconv_ct_ct and cdata_setptr Functions #548
Description
I have identified a potential "Return of Stack Address" issue (CWE-562) in the project, and I would like to bring it to your attention as it may pose a serious risk. This issue could lead to undefined behavior or security vulnerabilities by exposing a stack variable address. Such a bug may result in program instability, memory corruption, or potential security breaches. Could you please help me check it? Thank you for your effort and patience!
Issue Description:
The bug is located in the file third_party\luajit\tmp\luajit\src\lj_cconv.c andthird_party\luajit\tmp\luajit\src\lj_cdata.h, involving the functions cdata_setptr and lj_cconv_ct_ct. The specific code flow is as follows:
1.In the cdata_setptr function, there is a possibility for the value of v to be copied to the value pointed to by p.
2.The function lj_cconv_ct_ct calls cdata_setptr to assign the value of sp to the value pointed to by dp.
3.However, sp is a stack address and should not be assigned to the value pointed to by an input parameter pointer.
4.This results in a "Return of Stack Variable Address" vulnerability (CWE-562), as the dp pointer in the input function parameter will return this stack address.
The relevant code segments that may trigger this bug are highlighted in the attached image.
