New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference #3487

Closed
clayton-shopify opened this Issue Mar 7, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@clayton-shopify
Contributor

clayton-shopify commented Mar 7, 2017

The following input demonstrates a crash:

def to_str
  @b + + -> {}
rescue ""
end

class A < to_str
end

This results in recursion, but it seems to crash well before overflowing the stack:

Process 69290 stopped
* thread #1: tid = 0x190397c, 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x28)
    frame #0: 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088
   1085
   1086	    CASE(OP_RESCUE) {
   1087	      /* A      R(A) := exc; clear(exc) */
-> 1088	      SET_OBJ_VALUE(regs[GETARG_A(i)], mrb->exc);
   1089	      mrb->exc = 0;
   1090	      NEXT;
   1091	    }
(lldb) bt
* thread #1: tid = 0x190397c, 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x28)
  * frame #0: 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088
    frame #1: 0x0000000100165a6a mruby`mrb_vm_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f49dcc0, stack_keep=2) + 1114 at vm.c:822
    frame #2: 0x000000010015ebcf mruby`mrb_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f49dea0) + 1599 at vm.c:2570
    frame #3: 0x000000010015c518 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f49ea00, mid=144, argc=0, argv=0x00007fff5f49ef80, blk=mrb_value @ 0x00007fff5f49e0b0) + 13496 at vm.c:454
    frame #4: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f49ed60, mid=144, argc=0, argv=0x00007fff5f49ef80) + 984 at vm.c:464
    frame #5: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f49ef60, name="to_str", argc=0) + 1743 at vm.c:342
    frame #6: 0x0000000100106e1d mruby`mrb_str_equal(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f49f460, str2=mrb_value @ 0x00007fff5f49f480) + 1661 at string.c:995
    frame #7: 0x000000010011b6c5 mruby`mrb_str_equal_m(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f49f760) + 853 at string.c:1019
    frame #8: 0x000000010015c116 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a0240, mid=10, argc=1, argv=0x00007fff5f4a07c0, blk=mrb_value @ 0x00007fff5f49f8f0) + 12470 at vm.c:447
    frame #9: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a05a0, mid=10, argc=1, argv=0x00007fff5f4a07c0) + 984 at vm.c:464
    frame #10: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a07a0, name="==", argc=1) + 1743 at vm.c:342
    frame #11: 0x00000001000dab77 mruby`mrb_equal(mrb=0x000061400000fe40, obj1=mrb_value @ 0x00007fff5f4a0ca0, obj2=mrb_value @ 0x00007fff5f4a0cc0) + 1351 at object.c:48
    frame #12: 0x00000001000ae055 mruby`mrb_equal_m(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a0f20) + 853 at kernel.c:84
    frame #13: 0x000000010016fd85 mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000cd08) + 41381 at vm.c:1229
    frame #14: 0x0000000100165a6a mruby`mrb_vm_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f4a8920, stack_keep=2) + 1114 at vm.c:822
    frame #15: 0x000000010015ebcf mruby`mrb_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f4a8b00) + 1599 at vm.c:2570
    frame #16: 0x000000010015c518 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a9660, mid=144, argc=0, argv=0x00007fff5f4a9be0, blk=mrb_value @ 0x00007fff5f4a8d10) + 13496 at vm.c:454
    frame #17: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a99c0, mid=144, argc=0, argv=0x00007fff5f4a9be0) + 984 at vm.c:464
    frame #18: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a9bc0, name="to_str", argc=0) + 1743 at vm.c:342
    frame #19: 0x0000000100106e1d mruby`mrb_str_equal(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f4aa0c0, str2=mrb_value @ 0x00007fff5f4aa0e0) + 1661 at string.c:995
    frame #20: 0x000000010011b6c5 mruby`mrb_str_equal_m(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f4aa3c0) + 853 at string.c:1019
    frame #21: 0x000000010015c116 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4aaea0, mid=10, argc=1, argv=0x00007fff5f4ab420, blk=mrb_value @ 0x00007fff5f4aa550) + 12470 at vm.c:447
    frame #22: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4ab200, mid=10, argc=1, argv=0x00007fff5f4ab420) + 984 at vm.c:464
    frame #23: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4ab400, name="==", argc=1) + 1743 at vm.c:342
    ...

This issue was reported by Dinko Galetic and Denis Kasak (https://hackerone.com/dgaletic).

@dkasak

This comment has been minimized.

Show comment
Hide comment
@dkasak

dkasak Mar 9, 2017

The new recursion limit gets triggered and throws an exception, which prevents it from overflowing the stack. However, it appears the crash happens while rescuing that exception.

dkasak commented Mar 9, 2017

The new recursion limit gets triggered and throws an exception, which prevents it from overflowing the stack. However, it appears the crash happens while rescuing that exception.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment