New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in ary_concat #3532

Closed
clayton-shopify opened this Issue Mar 21, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Mar 21, 2017

The following input demonstrates a crash:

a *(
  [*()]
  0
)

I suspect this occurs due to invalid code generation.

$ bin/mruby -v 214171.rb
mruby 1.2.0 (2015-11-17)
214171.rb:1:3: '*' interpreted as argument prefix
00002 NODE_SCOPE:
00002   NODE_BEGIN:
00002     NODE_FCALL:
00002       NODE_SELF
00004       method='a' (358)
00002       args:
00004         NODE_SPLAT:
00002           NODE_BEGIN:
00002             NODE_ARRAY:
00002               NODE_SPLAT:
00002                 NODE_BEGIN:
00003             NODE_INT 0 base 10
irep 0x60c000014740 nregs=5 nlocals=1 pools=0 syms=1 reps=0
file: 214171.rb
    2 000 OP_LOADSELF	R1
    2 001 OP_ARRAY	R2	R2	0
    2 002 OP_LOADNIL	R3
    3 003 OP_LOADI	R4	0
    3 004 OP_ARYCAT	R3	R4
    3 005 OP_SEND	R2	:a	127
    3 006 OP_STOP

ASAN:DEADLYSIGNAL
=================================================================
==83636==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0001062e9bfb bp 0x7fff59913610 sp 0x7fff59913530 T0)
    #0 0x1062e9bfa in ary_concat array.c:260
    #1 0x1062e9ab4 in mrb_ary_concat array.c:279
    #2 0x10646d8c3 in mrb_vm_exec (mruby+0x10018a8c3)
    #3 0x106447f79 in mrb_vm_run (mruby+0x100164f79)
    #4 0x10647a249 in mrb_top_run (mruby+0x100197249)
    #5 0x106549a85 in mrb_load_exec (mruby+0x100266a85)
    #6 0x10654a895 in mrb_load_file_cxt (mruby+0x100267895)
    #7 0x1062e55c6 in main mruby.c:227
    #8 0x7fff8cb21254 in start (libdyld.dylib+0x5254)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV array.c:260 in ary_concat
==83636==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Mar 27, 2017

Contributor

https://hackerone.com/ston3 reported another input that produces the same crash:

def method_missing(*)end
y(&:d).s g(*s)
Contributor

clayton-shopify commented Mar 27, 2017

https://hackerone.com/ston3 reported another input that produces the same crash:

def method_missing(*)end
y(&:d).s g(*s)

@matz matz closed this in d35fcf1 Apr 3, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment