Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in OP_HASH #3517

Closed
clayton-shopify opened this issue Mar 15, 2017 · 1 comment
Closed

Null pointer dereference in OP_HASH #3517

clayton-shopify opened this issue Mar 15, 2017 · 1 comment

Comments

@clayton-shopify
Copy link
Contributor

@clayton-shopify clayton-shopify commented Mar 15, 2017

The following input demonstrates a crash:

def to_str
  @@b + + -> {}
rescue {}
rescue -> {}
rescue ""
end

class A < to_str
end

ASAN report:

==51803==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7fffaf668f44 bp 0x7fff5e129e80 sp 0x7fff5e129e80 T0)
    #0 0x7fffaf668f43 in _platform_memmove$VARIANT$Haswell (libsystem_platform.dylib+0x5f43)
    #1 0x1008a1bf8 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bf8)
    #2 0x10068a968 in mrb_vm_exec vm.c:2385
    #3 0x100661f99 in mrb_vm_run vm.c:820
    #4 0x10065b01e in mrb_run vm.c:2604
    #5 0x100658967 in mrb_funcall_with_block vm.c:451
    #6 0x100655337 in mrb_funcall_argv vm.c:461
    #7 0x1005dac9e in convert_type object.c:320
    #8 0x1005dbdba in mrb_check_convert_type object.c:356
    #9 0x100609b9d in mrb_check_string_type string.c:1754
    #10 0x10050c5ec in join_ary array.c:1051
    #11 0x10050af6d in mrb_ary_join array.c:1075
    #12 0x100566442 in mrb_vformat error.c:362
    #13 0x100567329 in mrb_name_error error.c:399
    #14 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #15 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #16 0x100665a5d in mrb_vm_exec vm.c:969
    #17 0x100661f99 in mrb_vm_run vm.c:820
    #18 0x10065b01e in mrb_run vm.c:2604
    #19 0x100658967 in mrb_funcall_with_block vm.c:451
    #20 0x100655337 in mrb_funcall_argv vm.c:461
    #21 0x1005dac9e in convert_type object.c:320
    #22 0x1005dbdba in mrb_check_convert_type object.c:356
    #23 0x100609b9d in mrb_check_string_type string.c:1754
    #24 0x10050c5ec in join_ary array.c:1051
    #25 0x10050af6d in mrb_ary_join array.c:1075
    #26 0x100566442 in mrb_vformat error.c:362
    #27 0x100567329 in mrb_name_error error.c:399
    #28 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #29 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #30 0x100665a5d in mrb_vm_exec vm.c:969
    #31 0x100661f99 in mrb_vm_run vm.c:820
    #32 0x10065b01e in mrb_run vm.c:2604
    #33 0x100658967 in mrb_funcall_with_block vm.c:451
    #34 0x100655337 in mrb_funcall_argv vm.c:461
    #35 0x1005dac9e in convert_type object.c:320
    #36 0x1005dbdba in mrb_check_convert_type object.c:356
    #37 0x100609b9d in mrb_check_string_type string.c:1754
    #38 0x10050c5ec in join_ary array.c:1051
    #39 0x10050af6d in mrb_ary_join array.c:1075
    #40 0x100566442 in mrb_vformat error.c:362
    #41 0x100567329 in mrb_name_error error.c:399
    #42 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #43 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #44 0x100665a5d in mrb_vm_exec vm.c:969
    #45 0x100661f99 in mrb_vm_run vm.c:820
    #46 0x10065b01e in mrb_run vm.c:2604
    #47 0x100658967 in mrb_funcall_with_block vm.c:451
    #48 0x100655337 in mrb_funcall_argv vm.c:461
    #49 0x1005dac9e in convert_type object.c:320
    #50 0x1005dbdba in mrb_check_convert_type object.c:356
    #51 0x100609b9d in mrb_check_string_type string.c:1754
    #52 0x10050c5ec in join_ary array.c:1051
    #53 0x10050af6d in mrb_ary_join array.c:1075
    #54 0x100566442 in mrb_vformat error.c:362
    #55 0x100567329 in mrb_name_error error.c:399
    #56 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #57 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #58 0x100665a5d in mrb_vm_exec vm.c:969
    #59 0x100661f99 in mrb_vm_run vm.c:820
    #60 0x10065b01e in mrb_run vm.c:2604
    #61 0x100658967 in mrb_funcall_with_block vm.c:451
    #62 0x100655337 in mrb_funcall_argv vm.c:461
    #63 0x1005dac9e in convert_type object.c:320
    #64 0x1005dbdba in mrb_check_convert_type object.c:356
    #65 0x100609b9d in mrb_check_string_type string.c:1754
    #66 0x10050c5ec in join_ary array.c:1051
    #67 0x10050af6d in mrb_ary_join array.c:1075
    #68 0x100566442 in mrb_vformat error.c:362
    #69 0x100567329 in mrb_name_error error.c:399
    #70 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #71 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #72 0x100665a5d in mrb_vm_exec vm.c:969
    #73 0x100661f99 in mrb_vm_run vm.c:820
    #74 0x10065b01e in mrb_run vm.c:2604
    #75 0x100658967 in mrb_funcall_with_block vm.c:451
    #76 0x100655337 in mrb_funcall_argv vm.c:461
    #77 0x1005dac9e in convert_type object.c:320
    #78 0x1005dbdba in mrb_check_convert_type object.c:356
    #79 0x100609b9d in mrb_check_string_type string.c:1754
    #80 0x10050c5ec in join_ary array.c:1051
    #81 0x10050af6d in mrb_ary_join array.c:1075
    #82 0x100566442 in mrb_vformat error.c:362
    #83 0x100567329 in mrb_name_error error.c:399
    #84 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #85 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #86 0x100665a5d in mrb_vm_exec vm.c:969
    #87 0x100661f99 in mrb_vm_run vm.c:820
    #88 0x10065b01e in mrb_run vm.c:2604
    #89 0x100658967 in mrb_funcall_with_block vm.c:451
    #90 0x100655337 in mrb_funcall_argv vm.c:461
    #91 0x1005dac9e in convert_type object.c:320
    #92 0x1005dbdba in mrb_check_convert_type object.c:356
    #93 0x100609b9d in mrb_check_string_type string.c:1754
    #94 0x10050c5ec in join_ary array.c:1051
    #95 0x10050af6d in mrb_ary_join array.c:1075
    #96 0x100566442 in mrb_vformat error.c:362
    #97 0x100567329 in mrb_name_error error.c:399
    #98 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #99 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #100 0x100665a5d in mrb_vm_exec vm.c:969
    #101 0x100661f99 in mrb_vm_run vm.c:820
    #102 0x10065b01e in mrb_run vm.c:2604
    #103 0x100658967 in mrb_funcall_with_block vm.c:451
    #104 0x100655337 in mrb_funcall_argv vm.c:461
    #105 0x1005dac9e in convert_type object.c:320
    #106 0x1005dbdba in mrb_check_convert_type object.c:356
    #107 0x100609b9d in mrb_check_string_type string.c:1754
    #108 0x10050c5ec in join_ary array.c:1051
    #109 0x10050af6d in mrb_ary_join array.c:1075
    #110 0x100566442 in mrb_vformat error.c:362
    #111 0x100567329 in mrb_name_error error.c:399
    #112 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #113 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #114 0x100665a5d in mrb_vm_exec vm.c:969
    #115 0x100661f99 in mrb_vm_run vm.c:820
    #116 0x10065b01e in mrb_run vm.c:2604
    #117 0x100658967 in mrb_funcall_with_block vm.c:451
    #118 0x100655337 in mrb_funcall_argv vm.c:461
    #119 0x1005dac9e in convert_type object.c:320
    #120 0x1005dbdba in mrb_check_convert_type object.c:356
    #121 0x100609b9d in mrb_check_string_type string.c:1754
    #122 0x10050c5ec in join_ary array.c:1051
    #123 0x10050af6d in mrb_ary_join array.c:1075
    #124 0x100566442 in mrb_vformat error.c:362
    #125 0x100567329 in mrb_name_error error.c:399
    #126 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #127 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #128 0x100665a5d in mrb_vm_exec vm.c:969
    #129 0x100661f99 in mrb_vm_run vm.c:820
    #130 0x10065b01e in mrb_run vm.c:2604
    #131 0x100658967 in mrb_funcall_with_block vm.c:451
    #132 0x100655337 in mrb_funcall_argv vm.c:461
    #133 0x1005dac9e in convert_type object.c:320
    #134 0x1005dbdba in mrb_check_convert_type object.c:356
    #135 0x100609b9d in mrb_check_string_type string.c:1754
    #136 0x10050c5ec in join_ary array.c:1051
    #137 0x10050af6d in mrb_ary_join array.c:1075
    #138 0x100566442 in mrb_vformat error.c:362
    #139 0x100567329 in mrb_name_error error.c:399
    #140 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #141 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #142 0x100665a5d in mrb_vm_exec vm.c:969
    #143 0x100661f99 in mrb_vm_run vm.c:820
    #144 0x10065b01e in mrb_run vm.c:2604
    #145 0x100658967 in mrb_funcall_with_block vm.c:451
    #146 0x100655337 in mrb_funcall_argv vm.c:461
    #147 0x1005dac9e in convert_type object.c:320
    #148 0x1005dbdba in mrb_check_convert_type object.c:356
    #149 0x100609b9d in mrb_check_string_type string.c:1754
    #150 0x10050c5ec in join_ary array.c:1051
    #151 0x10050af6d in mrb_ary_join array.c:1075
    #152 0x100566442 in mrb_vformat error.c:362
    #153 0x100567329 in mrb_name_error error.c:399
    #154 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #155 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #156 0x100665a5d in mrb_vm_exec vm.c:969
    #157 0x100661f99 in mrb_vm_run vm.c:820
    #158 0x10065b01e in mrb_run vm.c:2604
    #159 0x100658967 in mrb_funcall_with_block vm.c:451
    #160 0x100655337 in mrb_funcall_argv vm.c:461
    #161 0x1005dac9e in convert_type object.c:320
    #162 0x1005dbdba in mrb_check_convert_type object.c:356
    #163 0x100609b9d in mrb_check_string_type string.c:1754
    #164 0x10050c5ec in join_ary array.c:1051
    #165 0x10050af6d in mrb_ary_join array.c:1075
    #166 0x100566442 in mrb_vformat error.c:362
    #167 0x100567329 in mrb_name_error error.c:399
    #168 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #169 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #170 0x100665a5d in mrb_vm_exec vm.c:969
    #171 0x100661f99 in mrb_vm_run vm.c:820
    #172 0x10065b01e in mrb_run vm.c:2604
    #173 0x100658967 in mrb_funcall_with_block vm.c:451
    #174 0x100655337 in mrb_funcall_argv vm.c:461
    #175 0x1005dac9e in convert_type object.c:320
    #176 0x1005dbdba in mrb_check_convert_type object.c:356
    #177 0x100609b9d in mrb_check_string_type string.c:1754
    #178 0x10050c5ec in join_ary array.c:1051
    #179 0x10050af6d in mrb_ary_join array.c:1075
    #180 0x100566442 in mrb_vformat error.c:362
    #181 0x100567329 in mrb_name_error error.c:399
    #182 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #183 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #184 0x100665a5d in mrb_vm_exec vm.c:969
    #185 0x100661f99 in mrb_vm_run vm.c:820
    #186 0x10065b01e in mrb_run vm.c:2604
    #187 0x100658967 in mrb_funcall_with_block vm.c:451
    #188 0x100655337 in mrb_funcall_argv vm.c:461
    #189 0x1005dac9e in convert_type object.c:320
    #190 0x1005dbdba in mrb_check_convert_type object.c:356
    #191 0x100609b9d in mrb_check_string_type string.c:1754
    #192 0x10050c5ec in join_ary array.c:1051
    #193 0x10050af6d in mrb_ary_join array.c:1075
    #194 0x100566442 in mrb_vformat error.c:362
    #195 0x100567329 in mrb_name_error error.c:399
    #196 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #197 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #198 0x100665a5d in mrb_vm_exec vm.c:969
    #199 0x100661f99 in mrb_vm_run vm.c:820
    #200 0x10065b01e in mrb_run vm.c:2604
    #201 0x100658967 in mrb_funcall_with_block vm.c:451
    #202 0x100655337 in mrb_funcall_argv vm.c:461
    #203 0x1005dac9e in convert_type object.c:320
    #204 0x1005dbdba in mrb_check_convert_type object.c:356
    #205 0x100609b9d in mrb_check_string_type string.c:1754
    #206 0x10050c5ec in join_ary array.c:1051
    #207 0x10050af6d in mrb_ary_join array.c:1075
    #208 0x100566442 in mrb_vformat error.c:362
    #209 0x100567329 in mrb_name_error error.c:399
    #210 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #211 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #212 0x100665a5d in mrb_vm_exec vm.c:969
    #213 0x100661f99 in mrb_vm_run vm.c:820
    #214 0x10065b01e in mrb_run vm.c:2604
    #215 0x100658967 in mrb_funcall_with_block vm.c:451
    #216 0x100655337 in mrb_funcall_argv vm.c:461
    #217 0x1005dac9e in convert_type object.c:320
    #218 0x1005dbdba in mrb_check_convert_type object.c:356
    #219 0x100609b9d in mrb_check_string_type string.c:1754
    #220 0x10050c5ec in join_ary array.c:1051
    #221 0x10050af6d in mrb_ary_join array.c:1075
    #222 0x100566442 in mrb_vformat error.c:362
    #223 0x100567329 in mrb_name_error error.c:399
    #224 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #225 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #226 0x100665a5d in mrb_vm_exec vm.c:969
    #227 0x100661f99 in mrb_vm_run vm.c:820
    #228 0x10065b01e in mrb_run vm.c:2604
    #229 0x100658967 in mrb_funcall_with_block vm.c:451
    #230 0x100655337 in mrb_funcall_argv vm.c:461
    #231 0x1005dac9e in convert_type object.c:320
    #232 0x1005dbdba in mrb_check_convert_type object.c:356
    #233 0x100609b9d in mrb_check_string_type string.c:1754
    #234 0x10050c5ec in join_ary array.c:1051
    #235 0x10050af6d in mrb_ary_join array.c:1075
    #236 0x100566442 in mrb_vformat error.c:362
    #237 0x100567329 in mrb_name_error error.c:399
    #238 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #239 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #240 0x100665a5d in mrb_vm_exec vm.c:969
    #241 0x100661f99 in mrb_vm_run vm.c:820
    #242 0x10065b01e in mrb_run vm.c:2604
    #243 0x100658967 in mrb_funcall_with_block vm.c:451
    #244 0x100655337 in mrb_funcall_argv vm.c:461
    #245 0x1005dac9e in convert_type object.c:320
    #246 0x1005dbdba in mrb_check_convert_type object.c:356
    #247 0x100609b9d in mrb_check_string_type string.c:1754
    #248 0x10050c5ec in join_ary array.c:1051
    #249 0x10050af6d in mrb_ary_join array.c:1075
    #250 0x100566442 in mrb_vformat error.c:362
    #251 0x100567329 in mrb_name_error error.c:399
    #252 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #253 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #254 0x100665a5d in mrb_vm_exec vm.c:969
    #255 0x100661f99 in mrb_vm_run vm.c:820

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_platform.dylib+0x5f43) in _platform_memmove$VARIANT$Haswell
==51803==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong
@matz
Copy link
Member

@matz matz commented Mar 18, 2017

crash is fixed by #3521

@matz matz closed this as completed Mar 18, 2017
matz added a commit that referenced this issue Mar 18, 2017
@matz
Avoid possible infinite recursion in mrb_print_error(); ref #3517
e6b5c75
@matz matz mentioned this issue Mar 18, 2017
Closed
matz added a commit that referenced this issue Apr 25, 2017
@matz
Avoid use of snprintf() when DISABLE_STDIO is set; fix #3632
88cd807 
ref #3492 #3515 #3517
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matz @clayton-shopify