New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use after free #3465

Closed
clayton-shopify opened this Issue Feb 24, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Feb 24, 2017

The following input demonstrates a crash:

l = 0./(0, *r=begin
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  Kq  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K  K ||=
  K ||=
  K ||=
  K ||=
  K ||=
  K ||= @g
ensure
end)

This looks like it is probably related to #3464 and #3442.

ASAN report:

=================================================================
==82515==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000005158 at pc 0x000104979116 bp 0x7fff5b3e9890 sp 0x7fff5b3e9888
WRITE of size 4 at 0x625000005158 thread T0
    #0 0x104979115 in mrb_vm_exec vm.c:1081
    #1 0x104972589 in mrb_vm_run vm.c:815
    #2 0x1049a3a19 in mrb_top_run vm.c:2569
    #3 0x104a717b5 in mrb_load_exec parse.y:5755
    #4 0x104a725c5 in mrb_load_file_cxt parse.y:5764
    #5 0x10480f01a in main mruby.c:232
    #6 0x7fffb4357254 in start (libdyld.dylib+0x5254)

0x625000005158 is located 88 bytes inside of 9104-byte region [0x625000005100,0x625000007490)
freed by thread T0 here:
    #0 0x104baef87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x104908305 in mrb_default_allocf state.c:60
    #2 0x1048897b8 in mrb_realloc_simple gc.c:201
    #3 0x104889e9e in mrb_realloc gc.c:215
    #4 0x1049a4491 in stack_extend_alloc vm.c:161
    #5 0x10496ae97 in stack_extend vm.c:181
    #6 0x104972497 in mrb_vm_run vm.c:813
    #7 0x10496b76e in mrb_run vm.c:2558
    #8 0x1049a0dad in ecall vm.c:311
    #9 0x104985cf3 in mrb_vm_exec vm.c:1633
    #10 0x104972589 in mrb_vm_run vm.c:815
    #11 0x1049a3a19 in mrb_top_run vm.c:2569
    #12 0x104a717b5 in mrb_load_exec parse.y:5755
    #13 0x104a725c5 in mrb_load_file_cxt parse.y:5764
    #14 0x10480f01a in main mruby.c:232
    #15 0x7fffb4357254 in start (libdyld.dylib+0x5254)

previously allocated by thread T0 here:
    #0 0x104baef87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x104908305 in mrb_default_allocf state.c:60
    #2 0x1048897b8 in mrb_realloc_simple gc.c:201
    #3 0x104889e9e in mrb_realloc gc.c:215
    #4 0x1049a4491 in stack_extend_alloc vm.c:161
    #5 0x10496ae97 in stack_extend vm.c:181
    #6 0x104972497 in mrb_vm_run vm.c:813
    #7 0x1049a3a19 in mrb_top_run vm.c:2569
    #8 0x104a717b5 in mrb_load_exec parse.y:5755
    #9 0x104a725c5 in mrb_load_file_cxt parse.y:5764
    #10 0x10480f01a in main mruby.c:232
    #11 0x7fffb4357254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-use-after-free vm.c:1081 in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c4a000009d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a000009e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a000009f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4a00000a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c4a00000a20: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x1c4a00000a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4a00000a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4a00000a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4a00000a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4a00000a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==82515==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

@matz matz closed this in 9e93d5d Feb 27, 2017

dkasak added a commit to dkasak/mruby that referenced this issue Mar 14, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment