From d6284470e4420d4c0ce2e65e071e26903b9a9a20 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Apr 2026 09:48:13 +0200
Subject: [PATCH] BUG/MINOR: hlua: fix format-string vulnerability in Patref
 error path

hlua_error() is a printf-family function (calls vsnprintf), but
hlua_patref_set, hlua_patref_add, and _hlua_patref_add_bulk pass
errmsg directly as the format string. errmsg is built by pattern.c
helpers that embed the user-supplied key or value verbatim, e.g.
pat_ref_set_elt() generates "unable to parse '<value>'".

A Lua script calling:

    ref:set("key", "%p.%p.%p.%p.%p.%p.%p.%p")

against a map with an integer output type (where the parse fails)
gets stack/register contents formatted into the (nil, err) return
value -> ASLR/canary leak. With %n and no _FORTIFY_SOURCE this
becomes an arbitrary write primitive.

This must be backported as far as the Patref Lua API exists.
---
 src/hlua_fcn.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/hlua_fcn.c b/src/hlua_fcn.c
index 36c5f98d0..f204c0a04 100644
--- a/src/hlua_fcn.c
+++ b/src/hlua_fcn.c
@@ -2870,7 +2870,7 @@ int hlua_patref_add(lua_State *L)
 
 
 	if (!ret) {
-		ret = hlua_error(L, errmsg);
+		ret = hlua_error(L, "%s", errmsg);
 		ha_free(&errmsg);
 		return ret;
 	}
@@ -2919,7 +2919,7 @@ static int _hlua_patref_add_bulk(lua_State *L, int status, lua_KContext ctx)
 
 		if (!pat_ref_load(ref->ptr, curr_gen, key, value, -1, &errmsg)) {
 			HA_RWLOCK_WRUNLOCK(PATREF_LOCK, &ref->ptr->lock);
-			ret = hlua_error(L, errmsg);
+			ret = hlua_error(L, "%s", errmsg);
 			ha_free(&errmsg);
 			return ret;
 		}
@@ -3023,7 +3023,7 @@ int hlua_patref_set(lua_State *L)
 	HA_RWLOCK_WRUNLOCK(PATREF_LOCK, &ref->ptr->lock);
 
 	if (!ret) {
-		ret = hlua_error(L, errmsg);
+		ret = hlua_error(L, "%s", errmsg);
 		ha_free(&errmsg);
 		return ret;
 	}