Recursion causing uninitialized memory reads leading to a segfault

[clayton-shopify]

Dinko Galetic and Denis Kasak reported the following (via https://hackerone.com/dgaletic):

---

The following code produces a segfault without causing a stack overflow, affecting the sandbox:

def fn(n)
    return
    ensure
        if n == 0
    else fn(n-1)
    end
end
fn(24)

When the n parameter is less than 24, there is no segfault. However,
investigating with a memory sanitizer shows that uninitialized read errors
start to happen when n >= 15. The uninitialized read happens at the following
location in vm.c (with the relevant line marked):

1701         cipop(mrb);
1702         acc = ci->acc;  [***]
1703         mrb->c->stack = ci->stackent;

The issue seems to be in using the ci data after the call to cipop. The following patch stops the read errors and segfaults, and passes make test:

diff --git a/src/vm.c b/src/vm.c
index 9684dab..66fb692 100644
--- a/src/vm.c
+++ b/src/vm.c
@@ -1698,9 +1698,10 @@ RETRY_TRY_BLOCK:
           mrb->jmp = prev_jmp;
           return v;
         }
-        cipop(mrb);
+        ci = mrb->c->ci;
         acc = ci->acc;
         mrb->c->stack = ci->stackent;
+        cipop(mrb);
         if (acc == CI_ACC_SKIP) {
           mrb->jmp = prev_jmp;
           return v;

Update:

If the above POC doesn't crash the sandbox reliably, try increasing the n parameter (it crashes for me with n = 30). Also, a small correction: the memory errors and segfault are caused by holding onto the old mrb->c->ci pointer in the ci variable after the calls to ecall which sometimes reallocate into a different block. The call to cipop needed to be moved so the fix can work because cipop modifies mrb->c->ci.