To reproduce, build MRuby with clang and enable ASAN (CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address make), then supply the input above to bin/mruby.
The ASAN report appears to show an out-of-bounds write into the Ruby stack:
==93373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000009960 at pc 0x000103c46bbe bp 0x7fff5c3463d0 sp 0x7fff5c345b90
WRITE of size 16 at 0x625000009960 thread T0
#0 0x103c46bbd in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bbd)
#1 0x103a13326 in mrb_vm_run vm.c:789
#2 0x103a0ca0e in mrb_run vm.c:2503
#3 0x103a41065 in ecall vm.c:298
#4 0x103a26279 in mrb_vm_exec vm.c:1579
#5 0x103a13389 in mrb_vm_run vm.c:790
#6 0x103a43b59 in mrb_top_run vm.c:2514
#7 0x103b10bb5 in mrb_load_exec parse.y:5755
#8 0x103b119c5 in mrb_load_file_cxt parse.y:5764
#9 0x1038b2b0a in main mruby.c:232
#10 0x7fffcf99b254 in start (libdyld.dylib+0x5254)
0x625000009960 is located 48 bytes to the right of 8240-byte region [0x625000007900,0x625000009930)
allocated by thread T0 here:
#0 0x103c4ff87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
#1 0x1039a9cf5 in mrb_default_allocf state.c:60
#2 0x10392d718 in mrb_realloc_simple gc.c:201
#3 0x10392ddfe in mrb_realloc gc.c:215
#4 0x103a4440b in stack_extend_alloc vm.c:155
#5 0x103a0c135 in stack_extend vm.c:172
#6 0x103a13297 in mrb_vm_run vm.c:788
#7 0x103a0ca0e in mrb_run vm.c:2503
#8 0x103a41065 in ecall vm.c:298
#9 0x103a26279 in mrb_vm_exec vm.c:1579
#10 0x103a13389 in mrb_vm_run vm.c:790
#11 0x103a43b59 in mrb_top_run vm.c:2514
#12 0x103b10bb5 in mrb_load_exec parse.y:5755
#13 0x103b119c5 in mrb_load_file_cxt parse.y:5764
#14 0x1038b2b0a in main mruby.c:232
#15 0x7fffcf99b254 in start (libdyld.dylib+0x5254)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41bbd) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c4a000012d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a000012e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a000012f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a00001300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a00001310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4a00001320: 00 00 00 00 00 00 fa fa fa fa fa fa[fa]fa fa fa
0x1c4a00001330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c4a00001340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c4a00001350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c4a00001360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c4a00001370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
The following input demonstrates a heap buffer overflow (as reported by ASAN):
To reproduce, build MRuby with clang and enable ASAN (
CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address make
), then supply the input above tobin/mruby
.The ASAN report appears to show an out-of-bounds write into the Ruby stack:
This issue was reported by https://hackerone.com/titanous
The text was updated successfully, but these errors were encountered: