Topic on Talk:LuaSandbox

Luasandbox gives a sigsegv

4 comments • 18:26, 6 December 2019 4 years ago

4

Summary by Anomie

Already in Phabricator as T213437, no need to split the discussion. "The devs" would be happy to fix the bug, but first someone needs to both reproduce and debug it. We've been unable to do the former, and it seems Jeblad refuses to try to do the latter.

Jeblad (talkcontribs)

Luasandbox gives a sigsegv on at least amd64 but the devs refuses to accept it. After testing on several OS and versions of the OSes, both in host and client, I am pretty sure it is consistent. I have not tested on other archs, but feel free to do so.

If you must do extensive testing, then try to avoid the luasandbox, use the standalone solution.

Having several competing systems that all messes with the stack is not very safe. I wrote a pretty long report where and how it sigsegv, but when devs started to demand I should provide "proof", I got feed up and deleted it.

Someone else should do the investigation, perhaps the dev will belive them. In the mean time hope that someone find the bug and fix it, before someone find a way to exploit it.

Code throwing a sigsegv from activity on the stack is a pretty good indication of a serious malfunction, but hopefully not something that can be exploited. (Can always hope…)

Yes, I have reported the bug, and yes I have warned about this.

For what it is worth; I'm not using luasandbox myself, as I suspect this is not only an annoying bug, but a security issue. (The code manipulates the stack and gives a sigsegv, so yes, it is most likely a security issue.)

Reply Edited 18:26, 6 December 2019 4 years ago

Jeblad (talkcontribs)

The extension throws sigsegv, but Anomie among other refuses to accept it. This is not the way to handle a bug report, and especially not a report over something that has all signs of being a security issue.

Reply 23:31, 14 January 2019 5 years ago

Anomie (talkcontribs)

If you think it's such an important issue, why do you refuse to help debug it? Instead you're here spreading lies and FUD.

Reply 23:50, 14 January 2019 5 years ago

Jeblad (talkcontribs)

Pretty nice reply? The darn code sigsegv and when reporting it I'm being told "Instead you're here spreading lies and FUD." It is … unbelivable!

Wasted a week on trying to figure out why and how, and then got a "this bug don't exist". No I have not created this code, no it is not my responsibility to debug the darn code. I have reported the bug, and thats it.

Debugging and fixing faulty code is the responsibility of the devs who made the code, and guess who that is?

Reply Edited 06:34, 15 January 2019 5 years ago

Reply to "Luasandbox gives a sigsegv"