Heap use after free #3465

clayton-shopify · 2017-02-24T20:19:31Z

The following input demonstrates a crash:

l = 0./(0, *r=begin
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  Kq  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||= @g
ensure
end)

This looks like it is probably related to #3464 and #3442.

ASAN report:

=================================================================
==82515==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000005158 at pc 0x000104979116 bp 0x7fff5b3e9890 sp 0x7fff5b3e9888
WRITE of size 4 at 0x625000005158 thread T0
    #0 0x104979115 in mrb_vm_exec vm.c:1081
    #1 0x104972589 in mrb_vm_run vm.c:815
    #2 0x1049a3a19 in mrb_top_run vm.c:2569
    #3 0x104a717b5 in mrb_load_exec parse.y:5755
    #4 0x104a725c5 in mrb_load_file_cxt parse.y:5764
    #5 0x10480f01a in main mruby.c:232
    #6 0x7fffb4357254 in start (libdyld.dylib+0x5254)

0x625000005158 is located 88 bytes inside of 9104-byte region [0x625000005100,0x625000007490)
freed by thread T0 here:
    #0 0x104baef87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x104908305 in mrb_default_allocf state.c:60
    #2 0x1048897b8 in mrb_realloc_simple gc.c:201
    #3 0x104889e9e in mrb_realloc gc.c:215
    #4 0x1049a4491 in stack_extend_alloc vm.c:161
    #5 0x10496ae97 in stack_extend vm.c:181
    #6 0x104972497 in mrb_vm_run vm.c:813
    #7 0x10496b76e in mrb_run vm.c:2558
    #8 0x1049a0dad in ecall vm.c:311
    #9 0x104985cf3 in mrb_vm_exec vm.c:1633
    #10 0x104972589 in mrb_vm_run vm.c:815
    #11 0x1049a3a19 in mrb_top_run vm.c:2569
    #12 0x104a717b5 in mrb_load_exec parse.y:5755
    #13 0x104a725c5 in mrb_load_file_cxt parse.y:5764
    #14 0x10480f01a in main mruby.c:232
    #15 0x7fffb4357254 in start (libdyld.dylib+0x5254)

previously allocated by thread T0 here:
    #0 0x104baef87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x104908305 in mrb_default_allocf state.c:60
    #2 0x1048897b8 in mrb_realloc_simple gc.c:201
    #3 0x104889e9e in mrb_realloc gc.c:215
    #4 0x1049a4491 in stack_extend_alloc vm.c:161
    #5 0x10496ae97 in stack_extend vm.c:181
    #6 0x104972497 in mrb_vm_run vm.c:813
    #7 0x1049a3a19 in mrb_top_run vm.c:2569
    #8 0x104a717b5 in mrb_load_exec parse.y:5755
    #9 0x104a725c5 in mrb_load_file_cxt parse.y:5764
    #10 0x10480f01a in main mruby.c:232
    #11 0x7fffb4357254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-use-after-free vm.c:1081 in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c4a000009d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a000009e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a000009f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00000a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c4a00000a20: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x1c4a00000a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4a00000a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4a00000a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4a00000a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4a00000a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==82515==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

The text was updated successfully, but these errors were encountered:

This reverts commit 9e93d5d.

matz closed this as completed in 9e93d5d Feb 27, 2017

clayton-shopify mentioned this issue Mar 10, 2017

Use of invalidated pointer causes segfault in ecall #3499

Closed

dkasak added a commit to dkasak/mruby that referenced this issue Mar 14, 2017

Revert "Stack may be reallocated in mrb_run(); fix mruby#3465"

4b12522

This reverts commit 9e93d5d.

Heap use after free #3465

Heap use after free #3465

Comments

clayton-shopify commented Feb 24, 2017