Heap overflow caused by long array list arguments #3401

clayton-shopify · 2017-01-20T20:40:32Z

The following input demonstrates a heap buffer overflow (as reported by ASAN):

begin
  A
  ensure
end & %W(0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0)

To reproduce, build MRuby with clang and enable ASAN (CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address make), then supply the input above to bin/mruby.

The ASAN report appears to show an out-of-bounds write into the Ruby stack:

==93373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000009960 at pc 0x000103c46bbe bp 0x7fff5c3463d0 sp 0x7fff5c345b90
WRITE of size 16 at 0x625000009960 thread T0
    #0 0x103c46bbd in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bbd)
    #1 0x103a13326 in mrb_vm_run vm.c:789
    #2 0x103a0ca0e in mrb_run vm.c:2503
    #3 0x103a41065 in ecall vm.c:298
    #4 0x103a26279 in mrb_vm_exec vm.c:1579
    #5 0x103a13389 in mrb_vm_run vm.c:790
    #6 0x103a43b59 in mrb_top_run vm.c:2514
    #7 0x103b10bb5 in mrb_load_exec parse.y:5755
    #8 0x103b119c5 in mrb_load_file_cxt parse.y:5764
    #9 0x1038b2b0a in main mruby.c:232
    #10 0x7fffcf99b254 in start (libdyld.dylib+0x5254)

0x625000009960 is located 48 bytes to the right of 8240-byte region [0x625000007900,0x625000009930)
allocated by thread T0 here:
    #0 0x103c4ff87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x1039a9cf5 in mrb_default_allocf state.c:60
    #2 0x10392d718 in mrb_realloc_simple gc.c:201
    #3 0x10392ddfe in mrb_realloc gc.c:215
    #4 0x103a4440b in stack_extend_alloc vm.c:155
    #5 0x103a0c135 in stack_extend vm.c:172
    #6 0x103a13297 in mrb_vm_run vm.c:788
    #7 0x103a0ca0e in mrb_run vm.c:2503
    #8 0x103a41065 in ecall vm.c:298
    #9 0x103a26279 in mrb_vm_exec vm.c:1579
    #10 0x103a13389 in mrb_vm_run vm.c:790
    #11 0x103a43b59 in mrb_top_run vm.c:2514
    #12 0x103b10bb5 in mrb_load_exec parse.y:5755
    #13 0x103b119c5 in mrb_load_file_cxt parse.y:5764
    #14 0x1038b2b0a in main mruby.c:232
    #15 0x7fffcf99b254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41bbd) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c4a000012d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a000012e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a000012f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a00001300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a00001310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4a00001320: 00 00 00 00 00 00 fa fa fa fa fa fa[fa]fa fa fa
  0x1c4a00001330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00001340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00001350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00001360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00001370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

This issue was reported by https://hackerone.com/titanous

The text was updated successfully, but these errors were encountered:

matz closed this as completed in c48aef0 Jan 21, 2017

matz mentioned this issue Jan 21, 2017

Heap buffer overflow in stack_clear #3391

Closed

Heap overflow caused by long array list arguments #3401

Heap overflow caused by long array list arguments #3401

Comments

clayton-shopify commented Jan 20, 2017