New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap user-after-free #3474

Closed
clayton-shopify opened this Issue Feb 27, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@clayton-shopify
Contributor

clayton-shopify commented Feb 27, 2017

The following input demonstrates a crash:

class NoMethodError
  def initialize(message, name, args)
    a super &name
  end
end

b

ASAN report:

==14541==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e00000fa78 at pc 0x000108a431c8 bp 0x7fff572bcdd0 sp 0x7fff572bcdc8
WRITE of size 8 at 0x61e00000fa78 thread T0
    #0 0x108a431c7 in mrb_vm_exec vm.c:1407
    #1 0x108a34239 in mrb_vm_run vm.c:815
    #2 0x108a2d41e in mrb_run vm.c:2562
    #3 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #4 0x10890dd39 in mrb_instance_new class.c:1411
    #5 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #6 0x108a27737 in mrb_funcall_argv vm.c:461
    #7 0x108a271be in mrb_funcall vm.c:339
    #8 0x10893d307 in mrb_no_method_error error.c:525
    #9 0x10897986e in mrb_method_missing kernel.c:935
    #10 0x10898036c in mrb_obj_missing kernel.c:980
    #11 0x108a3e812 in mrb_vm_exec vm.c:1228
    #12 0x108a34239 in mrb_vm_run vm.c:815
    #13 0x108a2d41e in mrb_run vm.c:2562
    #14 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #15 0x10890dd39 in mrb_instance_new class.c:1411
    #16 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #17 0x108a27737 in mrb_funcall_argv vm.c:461
    #18 0x108a271be in mrb_funcall vm.c:339
    #19 0x10893d307 in mrb_no_method_error error.c:525
    #20 0x10897986e in mrb_method_missing kernel.c:935
    #21 0x10898036c in mrb_obj_missing kernel.c:980
    #22 0x108a3e812 in mrb_vm_exec vm.c:1228
    #23 0x108a34239 in mrb_vm_run vm.c:815
    #24 0x108a2d41e in mrb_run vm.c:2562
    #25 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #26 0x10890dd39 in mrb_instance_new class.c:1411
    #27 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #28 0x108a27737 in mrb_funcall_argv vm.c:461
    #29 0x108a271be in mrb_funcall vm.c:339
    #30 0x10893d307 in mrb_no_method_error error.c:525
    #31 0x10897986e in mrb_method_missing kernel.c:935
    #32 0x10898036c in mrb_obj_missing kernel.c:980
    #33 0x108a3e812 in mrb_vm_exec vm.c:1228
    #34 0x108a34239 in mrb_vm_run vm.c:815
    #35 0x108a2d41e in mrb_run vm.c:2562
    #36 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #37 0x10890dd39 in mrb_instance_new class.c:1411
    #38 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #39 0x108a27737 in mrb_funcall_argv vm.c:461
    #40 0x108a271be in mrb_funcall vm.c:339
    #41 0x10893d307 in mrb_no_method_error error.c:525
    #42 0x10897986e in mrb_method_missing kernel.c:935
    #43 0x10898036c in mrb_obj_missing kernel.c:980
    #44 0x108a3e812 in mrb_vm_exec vm.c:1228
    #45 0x108a34239 in mrb_vm_run vm.c:815
    #46 0x108a2d41e in mrb_run vm.c:2562
    #47 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #48 0x10890dd39 in mrb_instance_new class.c:1411
    #49 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #50 0x108a27737 in mrb_funcall_argv vm.c:461
    #51 0x108a271be in mrb_funcall vm.c:339
    #52 0x10893d307 in mrb_no_method_error error.c:525
    #53 0x10897986e in mrb_method_missing kernel.c:935
    #54 0x10898036c in mrb_obj_missing kernel.c:980
    #55 0x108a3e812 in mrb_vm_exec vm.c:1228
    #56 0x108a34239 in mrb_vm_run vm.c:815
    #57 0x108a2d41e in mrb_run vm.c:2562
    #58 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #59 0x10890dd39 in mrb_instance_new class.c:1411
    #60 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #61 0x108a27737 in mrb_funcall_argv vm.c:461
    #62 0x108a271be in mrb_funcall vm.c:339
    #63 0x10893d307 in mrb_no_method_error error.c:525
    #64 0x10897986e in mrb_method_missing kernel.c:935
    #65 0x10898036c in mrb_obj_missing kernel.c:980
    #66 0x108a3e812 in mrb_vm_exec vm.c:1228
    #67 0x108a34239 in mrb_vm_run vm.c:815
    #68 0x108a2d41e in mrb_run vm.c:2562
    #69 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #70 0x10890dd39 in mrb_instance_new class.c:1411
    #71 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #72 0x108a27737 in mrb_funcall_argv vm.c:461
    #73 0x108a271be in mrb_funcall vm.c:339
    #74 0x10893d307 in mrb_no_method_error error.c:525
    #75 0x10897986e in mrb_method_missing kernel.c:935
    #76 0x10898036c in mrb_obj_missing kernel.c:980
    #77 0x108a3e812 in mrb_vm_exec vm.c:1228
    #78 0x108a34239 in mrb_vm_run vm.c:815
    #79 0x108a2d41e in mrb_run vm.c:2562
    #80 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #81 0x10890dd39 in mrb_instance_new class.c:1411
    #82 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #83 0x108a27737 in mrb_funcall_argv vm.c:461
    #84 0x108a271be in mrb_funcall vm.c:339
    #85 0x10893d307 in mrb_no_method_error error.c:525
    #86 0x10897986e in mrb_method_missing kernel.c:935
    #87 0x10898036c in mrb_obj_missing kernel.c:980
    #88 0x108a3e812 in mrb_vm_exec vm.c:1228
    #89 0x108a34239 in mrb_vm_run vm.c:815
    #90 0x108a2d41e in mrb_run vm.c:2562
    #91 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #92 0x10890dd39 in mrb_instance_new class.c:1411
    #93 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #94 0x108a27737 in mrb_funcall_argv vm.c:461
    #95 0x108a271be in mrb_funcall vm.c:339
    #96 0x10893d307 in mrb_no_method_error error.c:525
    #97 0x10897986e in mrb_method_missing kernel.c:935
    #98 0x10898036c in mrb_obj_missing kernel.c:980
    #99 0x108a3e812 in mrb_vm_exec vm.c:1228
    #100 0x108a34239 in mrb_vm_run vm.c:815
    #101 0x108a2d41e in mrb_run vm.c:2562
    #102 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #103 0x10890dd39 in mrb_instance_new class.c:1411
    #104 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #105 0x108a27737 in mrb_funcall_argv vm.c:461
    #106 0x108a271be in mrb_funcall vm.c:339
    #107 0x10893d307 in mrb_no_method_error error.c:525
    #108 0x10897986e in mrb_method_missing kernel.c:935
    #109 0x10898036c in mrb_obj_missing kernel.c:980
    #110 0x108a3e812 in mrb_vm_exec vm.c:1228
    #111 0x108a34239 in mrb_vm_run vm.c:815
    #112 0x108a65a59 in mrb_top_run vm.c:2573
    #113 0x108b337f5 in mrb_load_exec parse.y:5755
    #114 0x108b345c5 in mrb_load_file_cxt parse.y:5764
    #115 0x1088d0cca in main mruby.c:232
    #116 0x7fffb4357254 in start (libdyld.dylib+0x5254)

0x61e00000fa78 is located 2552 bytes inside of 2560-byte region [0x61e00000f080,0x61e00000fa80)
freed by thread T0 here:
    #0 0x108c71f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x1089c9fb5 in mrb_default_allocf state.c:60
    #2 0x10894b468 in mrb_realloc_simple gc.c:201
    #3 0x10894bb4e in mrb_realloc gc.c:215
    #4 0x108a2c5b9 in cipush vm.c:239
    #5 0x108a290cd in mrb_funcall_with_block vm.c:397
    #6 0x108a27737 in mrb_funcall_argv vm.c:461
    #7 0x1089ad5de in convert_type object.c:320
    #8 0x1089adddb in mrb_convert_type object.c:342
    #9 0x108a43040 in mrb_vm_exec vm.c:1404
    #10 0x108a34239 in mrb_vm_run vm.c:815
    #11 0x108a2d41e in mrb_run vm.c:2562
    #12 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #13 0x10890dd39 in mrb_instance_new class.c:1411
    #14 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #15 0x108a27737 in mrb_funcall_argv vm.c:461
    #16 0x108a271be in mrb_funcall vm.c:339
    #17 0x10893d307 in mrb_no_method_error error.c:525
    #18 0x10897986e in mrb_method_missing kernel.c:935
    #19 0x10898036c in mrb_obj_missing kernel.c:980
    #20 0x108a3e812 in mrb_vm_exec vm.c:1228
    #21 0x108a34239 in mrb_vm_run vm.c:815
    #22 0x108a2d41e in mrb_run vm.c:2562
    #23 0x108a2ad67 in mrb_funcall_with_block vm.c:451
    #24 0x10890dd39 in mrb_instance_new class.c:1411
    #25 0x108a2a965 in mrb_funcall_with_block vm.c:444
    #26 0x108a27737 in mrb_funcall_argv vm.c:461
    #27 0x108a271be in mrb_funcall vm.c:339
    #28 0x10893d307 in mrb_no_method_error error.c:525
    #29 0x10897986e in mrb_method_missing kernel.c:935

previously allocated by thread T0 here:
    #0 0x108c71f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x1089c9fb5 in mrb_default_allocf state.c:60
    #2 0x10894b468 in mrb_realloc_simple gc.c:201
    #3 0x10894bb4e in mrb_realloc gc.c:215
    #4 0x10894c5c3 in mrb_malloc gc.c:236
    #5 0x10894c65d in mrb_calloc gc.c:254
    #6 0x108a2b7c5 in stack_init vm.c:102
    #7 0x108a285df in mrb_funcall_with_block vm.c:376
    #8 0x108a27f57 in mrb_funcall_with_block vm.c:354
    #9 0x108a27737 in mrb_funcall_argv vm.c:461
    #10 0x10890eb35 in mrb_obj_new class.c:1425
    #11 0x10893359d in mrb_exc_new_str error.c:32
    #12 0x10893dbb7 in mrb_init_exception error.c:549
    #13 0x10896ed90 in mrb_init_core init.c:41
    #14 0x1089c9f4e in mrb_open_core state.c:47
    #15 0x1089ca11c in mrb_open_allocf state.c:107
    #16 0x1089ca0e7 in mrb_open state.c:99
    #17 0x1088cfa47 in main mruby.c:172
    #18 0x7fffb4357254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-use-after-free vm.c:1407 in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c3c00001ef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3c00001f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x1c3c00001f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3c00001f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3c00001f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3c00001f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3c00001f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14541==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/mg36

@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Mar 2, 2017

Member

Probably this was fixed along with #3478

Member

matz commented Mar 2, 2017

Probably this was fixed along with #3478

@matz matz closed this Mar 2, 2017

@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Mar 7, 2017

Contributor

@matz I'm not sure it's actually fixed. It seems the crash went away after 3390020 but if you build latest master with MRB_DEFAULT_METHOD_MISSING (e.g. CFLAGS="-DMRB_DEFAULT_METHOD_MISSING -fsanitize=address" LDFLAGS=-fsanitize=address make) then the crash still occurs.

Contributor

clayton-shopify commented Mar 7, 2017

@matz I'm not sure it's actually fixed. It seems the crash went away after 3390020 but if you build latest master with MRB_DEFAULT_METHOD_MISSING (e.g. CFLAGS="-DMRB_DEFAULT_METHOD_MISSING -fsanitize=address" LDFLAGS=-fsanitize=address make) then the crash still occurs.

@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Mar 21, 2017

Contributor

@matz In the case with the MRB_DEFAULT_METHOD_MISSING flag, this stopped crashing after b64f087 so it looks like this is resolved now.

Contributor

clayton-shopify commented Mar 21, 2017

@matz In the case with the MRB_DEFAULT_METHOD_MISSING flag, this stopped crashing after b64f087 so it looks like this is resolved now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment