New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap overflow caused by long array list arguments #3401

Closed
clayton-shopify opened this Issue Jan 20, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jan 20, 2017

The following input demonstrates a heap buffer overflow (as reported by ASAN):

begin
  A
  ensure
end & %W(0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0)

To reproduce, build MRuby with clang and enable ASAN (CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address make), then supply the input above to bin/mruby.

The ASAN report appears to show an out-of-bounds write into the Ruby stack:

==93373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000009960 at pc 0x000103c46bbe bp 0x7fff5c3463d0 sp 0x7fff5c345b90
WRITE of size 16 at 0x625000009960 thread T0
    #0 0x103c46bbd in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bbd)
    #1 0x103a13326 in mrb_vm_run vm.c:789
    #2 0x103a0ca0e in mrb_run vm.c:2503
    #3 0x103a41065 in ecall vm.c:298
    #4 0x103a26279 in mrb_vm_exec vm.c:1579
    #5 0x103a13389 in mrb_vm_run vm.c:790
    #6 0x103a43b59 in mrb_top_run vm.c:2514
    #7 0x103b10bb5 in mrb_load_exec parse.y:5755
    #8 0x103b119c5 in mrb_load_file_cxt parse.y:5764
    #9 0x1038b2b0a in main mruby.c:232
    #10 0x7fffcf99b254 in start (libdyld.dylib+0x5254)

0x625000009960 is located 48 bytes to the right of 8240-byte region [0x625000007900,0x625000009930)
allocated by thread T0 here:
    #0 0x103c4ff87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x1039a9cf5 in mrb_default_allocf state.c:60
    #2 0x10392d718 in mrb_realloc_simple gc.c:201
    #3 0x10392ddfe in mrb_realloc gc.c:215
    #4 0x103a4440b in stack_extend_alloc vm.c:155
    #5 0x103a0c135 in stack_extend vm.c:172
    #6 0x103a13297 in mrb_vm_run vm.c:788
    #7 0x103a0ca0e in mrb_run vm.c:2503
    #8 0x103a41065 in ecall vm.c:298
    #9 0x103a26279 in mrb_vm_exec vm.c:1579
    #10 0x103a13389 in mrb_vm_run vm.c:790
    #11 0x103a43b59 in mrb_top_run vm.c:2514
    #12 0x103b10bb5 in mrb_load_exec parse.y:5755
    #13 0x103b119c5 in mrb_load_file_cxt parse.y:5764
    #14 0x1038b2b0a in main mruby.c:232
    #15 0x7fffcf99b254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41bbd) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c4a000012d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a000012e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a000012f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a00001300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a00001310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4a00001320: 00 00 00 00 00 00 fa fa fa fa fa fa[fa]fa fa fa
  0x1c4a00001330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00001340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00001350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00001360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00001370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

This issue was reported by https://hackerone.com/titanous

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment