New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow #3528

Closed
clayton-shopify opened this Issue Mar 20, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Mar 20, 2017

The following input demonstrates a crash:

def method_missing(m, *)
  a self.b ||= 0
end

c

ASAN report:

==80971==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62600000b900 at pc 0x00010b8d0bbe bp 0x7fff546c6770 sp 0x7fff546c5f30
WRITE of size 16 at 0x62600000b900 thread T0
    #0 0x10b8d0bbd in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bbd)
    #1 0x10b69edd9 in mrb_vm_exec (mruby+0x10016edd9)
    #2 0x10b694f79 in mrb_vm_run (mruby+0x100164f79)
    #3 0x10b6c7249 in mrb_top_run (mruby+0x100197249)
    #4 0x10b796a85 in mrb_load_exec (mruby+0x100266a85)
    #5 0x10b797895 in mrb_load_file_cxt (mruby+0x100267895)
    #6 0x10b5325c6 in main mruby.c:227
    #7 0x7fff8cb21254 in start (libdyld.dylib+0x5254)

0x62600000b900 is located 0 bytes to the right of 10240-byte region [0x626000009100,0x62600000b900)
allocated by thread T0 here:
    #0 0x10b8d9f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x10b62a315 in mrb_default_allocf (mruby+0x1000fa315)
    #2 0x10b5ac118 in mrb_realloc_simple gc.c:201
    #3 0x10b5ac7fe in mrb_realloc gc.c:215
    #4 0x10b6c7cc1 in stack_extend_alloc (mruby+0x100197cc1)
    #5 0x10b68d3e7 in stack_extend (mruby+0x10015d3e7)
    #6 0x10b6a0605 in mrb_vm_exec (mruby+0x100170605)
    #7 0x10b694f79 in mrb_vm_run (mruby+0x100164f79)
    #8 0x10b6c7249 in mrb_top_run (mruby+0x100197249)
    #9 0x10b796a85 in mrb_load_exec (mruby+0x100266a85)
    #10 0x10b797895 in mrb_load_file_cxt (mruby+0x100267895)
    #11 0x10b5325c6 in main mruby.c:227
    #12 0x7fff8cb21254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41bbd) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c4c000016d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4c000016e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4c000016f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4c00001700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4c00001710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4c00001720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4c00001730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4c00001740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4c00001750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4c00001760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4c00001770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==80971==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ston3

@matz matz closed this in 195af52 Apr 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment