New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow with many arguments #3440

Closed
clayton-shopify opened this Issue Feb 8, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Feb 8, 2017

https://hackerone.com/titanous reported the following:


The following program triggers a heap buffer overflow:

d 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 < 0 - 0.-- 0

ASAN report:

=================================================================
==3720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001e880 at pc 0x0000004ae8ac bp 0x7ffee59f8930 sp 0x7ffee59f80e0
WRITE of size 16 at 0x61d00001e880 thread T0
    #0 0x4ae8ab in __asan_memcpy (/vagrant/bin/mruby+0x4ae8ab)
    #1 0x64ad6d in value_move /vagrant/src/value_array.h:14:15
    #2 0x629792 in mrb_vm_exec /vagrant/src/vm.c:1181:11
    #3 0x620b8b in mrb_vm_run /vagrant/src/vm.c:801:10
    #4 0x64d298 in mrb_top_run /vagrant/src/vm.c:2533:12
    #5 0x676ec9 in mrb_load_exec /vagrant/mrbgems/mruby-compiler/core/parse.y:5755:7
    #6 0x677b65 in mrb_load_file_cxt /vagrant/mrbgems/mruby-compiler/core/parse.y:5764:10
    #7 0x4f3af5 in main /vagrant/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:232:11
    #8 0x7fb19c1e3f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #9 0x41a505 in _start (/vagrant/bin/mruby+0x41a505)

0x61d00001e880 is located 0 bytes to the right of 2048-byte region [0x61d00001e080,0x61d00001e880)
allocated by thread T0 here:
    #0 0x4c4c0d in realloc (/vagrant/bin/mruby+0x4c4c0d)
    #1 0x5c14f5 in mrb_default_allocf /vagrant/src/state.c:60:12
    #2 0x550b96 in mrb_realloc_simple /vagrant/src/gc.c:201:8
    #3 0x5511e4 in mrb_realloc /vagrant/src/gc.c:215:8
    #4 0x551b23 in mrb_malloc /vagrant/src/gc.c:236:10
    #5 0x551bbd in mrb_calloc /vagrant/src/gc.c:254:9
    #6 0x618d19 in stack_init /vagrant/src/vm.c:92:28
    #7 0x616446 in mrb_funcall_with_block /vagrant/src/vm.c:365:7
    #8 0x615e60 in mrb_funcall_with_block /vagrant/src/vm.c:343:13
    #9 0x6156dc in mrb_funcall_argv /vagrant/src/vm.c:447:10
    #10 0x5247e7 in mrb_obj_new /vagrant/src/class.c:1412:3
    #11 0x53f2fe in mrb_exc_new_str /vagrant/src/error.c:32:10
    #12 0x5489ee in mrb_init_exception /vagrant/src/error.c:550:20
    #13 0x6a5710 in mrb_init_core /vagrant/src/init.c:41:3
    #14 0x5c1495 in mrb_open_core /vagrant/src/state.c:47:3
    #15 0x5c163c in mrb_open_allocf /vagrant/src/state.c:107:20
    #16 0x5c160a in mrb_open /vagrant/src/state.c:99:20
    #17 0x4f29d3 in main /vagrant/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:172:20
    #18 0x7fb19c1e3f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow (/vagrant/bin/mruby+0x4ae8ab) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c3a7fffbcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbd10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fffbd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3720==ABORTING
vagrant@vagrant-ubuntu-trusty-64:/vagrant$ ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.8/bin/llvm-symbolizer bi^Cmruby crash-triage/02.rb
vagrant@vagrant-ubuntu-trusty-64:/vagrant$ ~/mruby-engine/bin/sandbox crash-triage/02.rb
/home/vagrant/mruby-engine/bin/sandbox:20:in `sandbox_eval': undefined method '-' for nil (MRubyEngine::EngineRuntimeError)
	from /home/vagrant/mruby-engine/bin/sandbox:20:in `<main>'
vagrant@vagrant-ubuntu-trusty-64:/vagrant$ ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.8/bin/llvm-symbolizer bin/mruby crash-triage/02.rb
=================================================================
==3777==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001e880 at pc 0x0000004ae8ac bp 0x7ffe2236f750 sp 0x7ffe2236ef00
WRITE of size 16 at 0x61d00001e880 thread T0
    #0 0x4ae8ab in __asan_memcpy (/vagrant/bin/mruby+0x4ae8ab)
    #1 0x64ad6d in value_move /vagrant/src/value_array.h:14:15
    #2 0x629792 in mrb_vm_exec /vagrant/src/vm.c:1181:11
    #3 0x620b8b in mrb_vm_run /vagrant/src/vm.c:801:10
    #4 0x64d298 in mrb_top_run /vagrant/src/vm.c:2533:12
    #5 0x676ec9 in mrb_load_exec /vagrant/mrbgems/mruby-compiler/core/parse.y:5755:7
    #6 0x677b65 in mrb_load_file_cxt /vagrant/mrbgems/mruby-compiler/core/parse.y:5764:10
    #7 0x4f3af5 in main /vagrant/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:232:11
    #8 0x7f534ad6cf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #9 0x41a505 in _start (/vagrant/bin/mruby+0x41a505)

0x61d00001e880 is located 0 bytes to the right of 2048-byte region [0x61d00001e080,0x61d00001e880)
allocated by thread T0 here:
    #0 0x4c4c0d in realloc (/vagrant/bin/mruby+0x4c4c0d)
    #1 0x5c14f5 in mrb_default_allocf /vagrant/src/state.c:60:12
    #2 0x550b96 in mrb_realloc_simple /vagrant/src/gc.c:201:8
    #3 0x5511e4 in mrb_realloc /vagrant/src/gc.c:215:8
    #4 0x551b23 in mrb_malloc /vagrant/src/gc.c:236:10
    #5 0x551bbd in mrb_calloc /vagrant/src/gc.c:254:9
    #6 0x618d19 in stack_init /vagrant/src/vm.c:92:28
    #7 0x616446 in mrb_funcall_with_block /vagrant/src/vm.c:365:7
    #8 0x615e60 in mrb_funcall_with_block /vagrant/src/vm.c:343:13
    #9 0x6156dc in mrb_funcall_argv /vagrant/src/vm.c:447:10
    #10 0x5247e7 in mrb_obj_new /vagrant/src/class.c:1412:3
    #11 0x53f2fe in mrb_exc_new_str /vagrant/src/error.c:32:10
    #12 0x5489ee in mrb_init_exception /vagrant/src/error.c:550:20
    #13 0x6a5710 in mrb_init_core /vagrant/src/init.c:41:3
    #14 0x5c1495 in mrb_open_core /vagrant/src/state.c:47:3
    #15 0x5c163c in mrb_open_allocf /vagrant/src/state.c:107:20
    #16 0x5c160a in mrb_open /vagrant/src/state.c:99:20
    #17 0x4f29d3 in main /vagrant/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:172:20
    #18 0x7f534ad6cf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow (/vagrant/bin/mruby+0x4ae8ab) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c3a7fffbcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbd10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fffbd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3777==ABORTING

@matz matz closed this in f198530 Feb 13, 2017

This was referenced Feb 27, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment