You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To reproduce, build MRuby with clang and enable ASAN (CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address make), then supply the input above to bin/mruby.
The ASAN report appears to show an out-of-bounds write into the Ruby stack:
==93373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000009960 at pc 0x000103c46bbe bp 0x7fff5c3463d0 sp 0x7fff5c345b90
WRITE of size 16 at 0x625000009960 thread T0
#0 0x103c46bbd in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bbd)
#1 0x103a13326 in mrb_vm_run vm.c:789
#2 0x103a0ca0e in mrb_run vm.c:2503
#3 0x103a41065 in ecall vm.c:298
#4 0x103a26279 in mrb_vm_exec vm.c:1579
#5 0x103a13389 in mrb_vm_run vm.c:790
#6 0x103a43b59 in mrb_top_run vm.c:2514
#7 0x103b10bb5 in mrb_load_exec parse.y:5755
#8 0x103b119c5 in mrb_load_file_cxt parse.y:5764
#9 0x1038b2b0a in main mruby.c:232
#10 0x7fffcf99b254 in start (libdyld.dylib+0x5254)
0x625000009960 is located 48 bytes to the right of 8240-byte region [0x625000007900,0x625000009930)
allocated by thread T0 here:
#0 0x103c4ff87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
#1 0x1039a9cf5 in mrb_default_allocf state.c:60
#2 0x10392d718 in mrb_realloc_simple gc.c:201
#3 0x10392ddfe in mrb_realloc gc.c:215
#4 0x103a4440b in stack_extend_alloc vm.c:155
#5 0x103a0c135 in stack_extend vm.c:172
#6 0x103a13297 in mrb_vm_run vm.c:788
#7 0x103a0ca0e in mrb_run vm.c:2503
#8 0x103a41065 in ecall vm.c:298
#9 0x103a26279 in mrb_vm_exec vm.c:1579
#10 0x103a13389 in mrb_vm_run vm.c:790
#11 0x103a43b59 in mrb_top_run vm.c:2514
#12 0x103b10bb5 in mrb_load_exec parse.y:5755
#13 0x103b119c5 in mrb_load_file_cxt parse.y:5764
#14 0x1038b2b0a in main mruby.c:232
#15 0x7fffcf99b254 in start (libdyld.dylib+0x5254)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41bbd) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c4a000012d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a000012e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a000012f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a00001300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a00001310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4a00001320: 00 00 00 00 00 00 fa fa fa fa fa fa[fa]fa fa fa
0x1c4a00001330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c4a00001340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c4a00001350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c4a00001360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c4a00001370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
The following input demonstrates a heap buffer overflow (as reported by ASAN):
To reproduce, build MRuby with clang and enable ASAN (
CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address make
), then supply the input above tobin/mruby
.The ASAN report appears to show an out-of-bounds write into the Ruby stack:
This issue was reported by https://hackerone.com/titanous
The text was updated successfully, but these errors were encountered: