From 342ee426ad0d0731b2272553bd4db2cd78e24772 Mon Sep 17 00:00:00 2001
From: YaacovHazan <yaacov.hazan@redis.com>
Date: Sun, 15 Dec 2024 21:41:45 +0200
Subject: [PATCH] Fix LUA garbage collector (CVE-2024-46981)

Reset GC state before closing the lua VM to prevent user data
to be wrongly freed while still might be used on destructor callbacks.
---
 src/eval.c         | 1 +
 src/function_lua.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/eval.c b/src/eval.c
index 47fb434647..fed606d2d2 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -266,6 +266,7 @@ void freeLuaScriptsSync(dict *lua_scripts, list *lua_scripts_lru_list, lua_State
     unsigned int lua_tcache = (unsigned int)(uintptr_t)ud;
 #endif
 
+    lua_gc(lua, LUA_GCCOLLECT, 0);
     lua_close(lua);
 
 #if defined(USE_JEMALLOC)
diff --git a/src/function_lua.c b/src/function_lua.c
index 37069ec213..ff471f2ac5 100644
--- a/src/function_lua.c
+++ b/src/function_lua.c
@@ -198,6 +198,7 @@ static void luaEngineFreeCtx(void *engine_ctx) {
     unsigned int lua_tcache = (unsigned int)(uintptr_t)ud;
 #endif
 
+    lua_gc(lua_engine_ctx->lua, LUA_GCCOLLECT, 0);
     lua_close(lua_engine_ctx->lua);
     zfree(lua_engine_ctx);