Heap buffer overflow #3462
Description
The following input demonstrates a crash:
def a
b
ensure
proc { return }.call
end
begin
a
rescue
endASAN report:
=================================================================
==81969==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001d8d4 at pc 0x00010ac336b3 bp 0x7fff5512c890 sp 0x7fff5512c888
READ of size 4 at 0x60200001d8d4 thread T0
#0 0x10ac336b2 in mrb_vm_exec vm.c:980
#1 0x10ac2f589 in mrb_vm_run vm.c:815
#2 0x10ac60a19 in mrb_top_run vm.c:2569
#3 0x10ad2e7b5 in mrb_load_exec parse.y:5755
#4 0x10ad2f5c5 in mrb_load_file_cxt parse.y:5764
#5 0x10aacc01a in main mruby.c:232
#6 0x7fffb4357254 in start (libdyld.dylib+0x5254)
0x60200001d8d4 is located 0 bytes to the right of 4-byte region [0x60200001d8d0,0x60200001d8d4)
allocated by thread T0 here:
#0 0x10ae6ff87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
#1 0x10abc5305 in mrb_default_allocf state.c:60
#2 0x10ab467b8 in mrb_realloc_simple gc.c:201
#3 0x10acf0a45 in codegen_realloc codegen.c:132
#4 0x10ad00a3c in scope_finish codegen.c:2842
#5 0x10acf756e in lambda_body codegen.c:725
#6 0x10acef759 in codegen codegen.c:2686
#7 0x10acdaa4d in codegen codegen.c:1254
#8 0x10acf3396 in scope_body codegen.c:737
#9 0x10acde56a in codegen codegen.c:1555
#10 0x10acd7fb1 in mrb_generate_code codegen.c:2954
#11 0x10ad2dc30 in mrb_load_exec parse.y:5732
#12 0x10ad2f5c5 in mrb_load_file_cxt parse.y:5764
#13 0x10aacc01a in main mruby.c:232
#14 0x7fffb4357254 in start (libdyld.dylib+0x5254)
SUMMARY: AddressSanitizer: heap-buffer-overflow vm.c:980 in mrb_vm_exec
Shadow bytes around the buggy address:
0x1c0400003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400003ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400003ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400003af0: fa fa fa fa fa fa fa fa fa fa 00 02 fa fa 00 fa
0x1c0400003b00: fa fa 00 fa fa fa 00 04 fa fa 00 02 fa fa 00 04
=>0x1c0400003b10: fa fa 00 fa fa fa 00 fa fa fa[04]fa fa fa 00 04
0x1c0400003b20: fa fa 00 02 fa fa 00 02 fa fa 00 fa fa fa 00 fa
0x1c0400003b30: fa fa 00 fa fa fa 00 02 fa fa 00 02 fa fa 04 fa
0x1c0400003b40: fa fa 00 fa fa fa 04 fa fa fa 00 fa fa fa 00 00
0x1c0400003b50: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa 00 00
0x1c0400003b60: fa fa 00 fa fa fa fd fd fa fa 00 00 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==81969==ABORTING
Abort trap: 6
This issue was reported by https://hackerone.com/ahmadsherif