New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow #3501

Closed
clayton-shopify opened this Issue Mar 10, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Mar 10, 2017

The following input demonstrates a crash:

module A module A
ensure
  module A module A module A module A
  ensure
    module A module A module A module A module A module A
     a
    ensure
      module A
        yield
      end
    end end end end end end
  end end end end
end end

ASAN report:

=================================================================
==52749==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001c8e8 at pc 0x000109772e3f bp 0x7fff565e97d0 sp 0x7fff565e97c8
READ of size 4 at 0x60200001c8e8 thread T0
    #0 0x109772e3e in mrb_vm_exec vm.c:1868
    #1 0x10975a939 in mrb_vm_run vm.c:823
    #2 0x1097539be in mrb_run vm.c:2571
    #3 0x10978966e in ecall vm.c:314
    #4 0x10976e51b in mrb_vm_exec vm.c:1652
    #5 0x10975a939 in mrb_vm_run vm.c:823
    #6 0x1097539be in mrb_run vm.c:2571
    #7 0x10978966e in ecall vm.c:314
    #8 0x109762852 in mrb_vm_exec vm.c:1133
    #9 0x10975a939 in mrb_vm_run vm.c:823
    #10 0x1097539be in mrb_run vm.c:2571
    #11 0x10978966e in ecall vm.c:314
    #12 0x109762852 in mrb_vm_exec vm.c:1133
    #13 0x10975a939 in mrb_vm_run vm.c:823
    #14 0x10978c359 in mrb_top_run vm.c:2582
    #15 0x10985ae45 in mrb_load_exec parse.y:5760
    #16 0x10985bc55 in mrb_load_file_cxt parse.y:5769
    #17 0x1095f7046 in main mruby.c:227
    #18 0x7fffb4357254 in start (libdyld.dylib+0x5254)

0x60200001c8e8 is located 8 bytes to the left of 10-byte region [0x60200001c8f0,0x60200001c8fa)
allocated by thread T0 here:
    #0 0x10999ef87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x1096f0015 in mrb_default_allocf state.c:60
    #2 0x109671bc8 in mrb_realloc_simple gc.c:201
    #3 0x109672d53 in mrb_malloc_simple gc.c:242
    #4 0x10982d9cd in codegen_malloc codegen.c:123
    #5 0x10982d54a in scope_finish codegen.c:2879
    #6 0x10981f58a in scope_body codegen.c:753
    #7 0x10980a193 in codegen codegen.c:1577
    #8 0x1098038f1 in mrb_generate_code codegen.c:2983
    #9 0x10985a2c0 in mrb_load_exec parse.y:5737
    #10 0x10985bc55 in mrb_load_file_cxt parse.y:5769
    #11 0x1095f7046 in main mruby.c:227
    #12 0x7fffb4357254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-buffer-overflow vm.c:1868 in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c04000038c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c04000038d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c04000038e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c04000038f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0400003910: fa fa fa fa fa fa fa fa fa fa 00 00 fa[fa]00 02
  0x1c0400003920: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 04 fa
  0x1c0400003930: fa fa 00 fa fa fa 00 00 fa fa 00 02 fa fa 00 fa
  0x1c0400003940: fa fa 00 fa fa fa 00 fa fa fa 04 fa fa fa 00 fa
  0x1c0400003950: fa fa 00 00 fa fa 00 02 fa fa 00 fa fa fa 00 fa
  0x1c0400003960: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 02
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==52749==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic and Denis Kasak (https://hackerone.com/dgaletic)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment