New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow #3464

Closed
clayton-shopify opened this Issue Feb 24, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Feb 24, 2017

The following input demonstrates a crash:

l = 0./(0, *r=begin
  K ||= @g
ensure
e
end)

This input is a variation of the one in #3442.

ASAN report:

=================================================================
==82414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000bbc0 at pc 0x00010b4ab9eb bp 0x7fff54ae4590 sp 0x7fff54ae3d50
READ of size 16 at 0x60d00000bbc0 thread T0
    #0 0x10b4ab9ea in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x419ea)
    #1 0x10b11b69d in value_move value_array.h:14
    #2 0x10b11b384 in mrb_ary_unshift array.c:502
    #3 0x10b280e42 in mrb_vm_exec vm.c:1198
    #4 0x10b277589 in mrb_vm_run vm.c:815
    #5 0x10b2a8a19 in mrb_top_run vm.c:2569
    #6 0x10b3767b5 in mrb_load_exec parse.y:5755
    #7 0x10b3775c5 in mrb_load_file_cxt parse.y:5764
    #8 0x10b11401a in main mruby.c:232
    #9 0x7fffb4357254 in start (libdyld.dylib+0x5254)

0x60d00000bbc0 is located 31 bytes to the right of 129-byte region [0x60d00000bb20,0x60d00000bba1)
allocated by thread T0 here:
    #0 0x10b4b4f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x10b20d305 in mrb_default_allocf state.c:60
    #2 0x10b18e7b8 in mrb_realloc_simple gc.c:201
    #3 0x10b18ee9e in mrb_realloc gc.c:215
    #4 0x10b18f913 in mrb_malloc gc.c:236
    #5 0x10b21042c in mrb_str_buf_new string.c:115
    #6 0x10b16273b in mrb_mod_attr_writer class.c:1360
    #7 0x10b281950 in mrb_vm_exec vm.c:1229
    #8 0x10b277589 in mrb_vm_run vm.c:815
    #9 0x10b2a8a19 in mrb_top_run vm.c:2569
    #10 0x10b1cce84 in mrb_load_irep_cxt load.c:638
    #11 0x10b1cdcbf in mrb_load_irep load.c:644
    #12 0x10b31a276 in GENERATED_TMP_mrb_mruby_enumerator_gem_init (mruby+0x100208276)
    #13 0x10b3935ed in mrb_init_mrbgems (mruby+0x1002815ed)
    #14 0x10b20d491 in mrb_open_allocf state.c:114
    #15 0x10b20d437 in mrb_open state.c:99
    #16 0x10b112d97 in main mruby.c:172
    #17 0x7fffb4357254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x419ea) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c1a00001720: 00 00 00 00 00 00 01 fa fa fa fa fa fa fa fa fa
  0x1c1a00001730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c1a00001740: 01 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x1c1a00001750: 00 00 00 00 00 00 00 00 00 00 01 fa fa fa fa fa
  0x1c1a00001760: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c1a00001770: 00 00 00 00 01 fa fa fa[fa]fa fa fa fa fa 00 00
  0x1c1a00001780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fa
  0x1c1a00001790: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c1a000017a0: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa fa
  0x1c1a000017b0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c1a000017c0: 00 00 01 fa fa fa fa fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==82414==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment