New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow #3462

Closed
clayton-shopify opened this Issue Feb 24, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Feb 24, 2017

The following input demonstrates a crash:

def a
  b
ensure
  proc { return }.call
end

begin
  a
rescue
end

ASAN report:

=================================================================
==81969==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001d8d4 at pc 0x00010ac336b3 bp 0x7fff5512c890 sp 0x7fff5512c888
READ of size 4 at 0x60200001d8d4 thread T0
    #0 0x10ac336b2 in mrb_vm_exec vm.c:980
    #1 0x10ac2f589 in mrb_vm_run vm.c:815
    #2 0x10ac60a19 in mrb_top_run vm.c:2569
    #3 0x10ad2e7b5 in mrb_load_exec parse.y:5755
    #4 0x10ad2f5c5 in mrb_load_file_cxt parse.y:5764
    #5 0x10aacc01a in main mruby.c:232
    #6 0x7fffb4357254 in start (libdyld.dylib+0x5254)

0x60200001d8d4 is located 0 bytes to the right of 4-byte region [0x60200001d8d0,0x60200001d8d4)
allocated by thread T0 here:
    #0 0x10ae6ff87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x10abc5305 in mrb_default_allocf state.c:60
    #2 0x10ab467b8 in mrb_realloc_simple gc.c:201
    #3 0x10acf0a45 in codegen_realloc codegen.c:132
    #4 0x10ad00a3c in scope_finish codegen.c:2842
    #5 0x10acf756e in lambda_body codegen.c:725
    #6 0x10acef759 in codegen codegen.c:2686
    #7 0x10acdaa4d in codegen codegen.c:1254
    #8 0x10acf3396 in scope_body codegen.c:737
    #9 0x10acde56a in codegen codegen.c:1555
    #10 0x10acd7fb1 in mrb_generate_code codegen.c:2954
    #11 0x10ad2dc30 in mrb_load_exec parse.y:5732
    #12 0x10ad2f5c5 in mrb_load_file_cxt parse.y:5764
    #13 0x10aacc01a in main mruby.c:232
    #14 0x7fffb4357254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-buffer-overflow vm.c:980 in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c0400003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003af0: fa fa fa fa fa fa fa fa fa fa 00 02 fa fa 00 fa
  0x1c0400003b00: fa fa 00 fa fa fa 00 04 fa fa 00 02 fa fa 00 04
=>0x1c0400003b10: fa fa 00 fa fa fa 00 fa fa fa[04]fa fa fa 00 04
  0x1c0400003b20: fa fa 00 02 fa fa 00 02 fa fa 00 fa fa fa 00 fa
  0x1c0400003b30: fa fa 00 fa fa fa 00 02 fa fa 00 02 fa fa 04 fa
  0x1c0400003b40: fa fa 00 fa fa fa 04 fa fa fa 00 fa fa fa 00 00
  0x1c0400003b50: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa 00 00
  0x1c0400003b60: fa fa 00 fa fa fa fd fd fa fa 00 00 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==81969==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahmadsherif

@matz matz closed this in b563bcb Feb 27, 2017

matz added a commit that referenced this issue Mar 11, 2017

Revert 642ab8e; ref #3422
Also fix #3499.  The issue was solved by #3462.

dkasak added a commit to dkasak/mruby that referenced this issue Mar 14, 2017

Revert 642ab8e; ref #3422
Also fix #3499.  The issue was solved by #3462.

dkasak added a commit to dkasak/mruby that referenced this issue Mar 14, 2017

Revert 642ab8e; ref #3422
Also fix #3499.  The issue was solved by #3462.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment