Note that loading (maliciously crafted) bytecode is generally *not* safe in Lua;... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		myrmidon on Jan 31, 2025 \| parent \| context \| favorite \| on: Show HN: Ldump – serialize any Lua data Note that loading (maliciously crafted) bytecode is generally not safe in Lua; sandboxing can be escaped in more ways than what's possible when loading plaintext sourcecode, and there are no full mitigations for this currently as far as I know (and would probably be highly interpreter/version sensitive anyway)-- the only "real" mitigation strategy is to just not `load` bytecode at all. But this is probably a non-issue for a lot of usecases. See e.g. https://gist.github.com/corsix/6575486 https://www.corsix.org/content/malicious-luajit-bytecode

girvel on Jan 31, 2025 [–]

This is fascinating. I wonder if this issue exists in Lua5.2+, where there is no jit and `load` is able to restrict used environment.

myrmidon on Feb 1, 2025 | [–]

Yes, exists. Here is an example for 5.2:

https://ia903205.us.archive.org/15/items/ARMArchitectureRefe...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact