New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in OP_RETURN #3556

Closed
clayton-shopify opened this Issue Mar 28, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Mar 28, 2017

The following input demonstrates a crash:

if def class
  A
  ensure
    e rescue 0
  end
end
[].map.a

ASAN report:

==9583==ERROR: AddressSanitizer: heap-use-after-free on address 0x62200001aa50 at pc 0x00010951b8b6 bp 0x7fff567138d0 sp 0x7fff567138c8
READ of size 4 at 0x62200001aa50 thread T0
    #0 0x10951b8b5 in mrb_vm_exec vm.c:1681
    #1 0x109507619 in mrb_vm_run vm.c:823
    #2 0x10950035e in mrb_run vm.c:2603
    #3 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #4 0x1094fa677 in mrb_funcall_argv vm.c:461
    #5 0x10944bef2 in mrb_method_missing kernel.c:926
    #6 0x109511035 in mrb_vm_exec vm.c:1225
    #7 0x109507619 in mrb_vm_run vm.c:823
    #8 0x10950035e in mrb_run vm.c:2603
    #9 0x109536cda in ecall vm.c:312
    #10 0x10951b8ec in mrb_vm_exec vm.c:1682
    #11 0x109507619 in mrb_vm_run vm.c:823
    #12 0x10950035e in mrb_run vm.c:2603
    #13 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #14 0x1094fa677 in mrb_funcall_argv vm.c:461
    #15 0x10944bef2 in mrb_method_missing kernel.c:926
    #16 0x109511035 in mrb_vm_exec vm.c:1225
    #17 0x109507619 in mrb_vm_run vm.c:823
    #18 0x10950035e in mrb_run vm.c:2603
    #19 0x109536cda in ecall vm.c:312
    #20 0x10951b8ec in mrb_vm_exec vm.c:1682
    #21 0x109507619 in mrb_vm_run vm.c:823
    #22 0x10950035e in mrb_run vm.c:2603
    #23 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #24 0x1094fa677 in mrb_funcall_argv vm.c:461
    #25 0x10944bef2 in mrb_method_missing kernel.c:926
    #26 0x109511035 in mrb_vm_exec vm.c:1225
    #27 0x109507619 in mrb_vm_run vm.c:823
    #28 0x10950035e in mrb_run vm.c:2603
    #29 0x109536cda in ecall vm.c:312
    #30 0x10951b8ec in mrb_vm_exec vm.c:1682
    #31 0x109507619 in mrb_vm_run vm.c:823
    #32 0x10950035e in mrb_run vm.c:2603
    #33 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #34 0x1094fa677 in mrb_funcall_argv vm.c:461
    #35 0x10944bef2 in mrb_method_missing kernel.c:926
    #36 0x109511035 in mrb_vm_exec vm.c:1225
    #37 0x109507619 in mrb_vm_run vm.c:823
    #38 0x10950035e in mrb_run vm.c:2603
    #39 0x109536cda in ecall vm.c:312
    #40 0x10951b8ec in mrb_vm_exec vm.c:1682
    #41 0x109507619 in mrb_vm_run vm.c:823
    #42 0x10950035e in mrb_run vm.c:2603
    #43 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #44 0x1094fa677 in mrb_funcall_argv vm.c:461
    #45 0x10944bef2 in mrb_method_missing kernel.c:926
    #46 0x109511035 in mrb_vm_exec vm.c:1225
    #47 0x109507619 in mrb_vm_run vm.c:823
    #48 0x10950035e in mrb_run vm.c:2603
    #49 0x109536cda in ecall vm.c:312
    #50 0x10951b8ec in mrb_vm_exec vm.c:1682
    #51 0x109507619 in mrb_vm_run vm.c:823
    #52 0x10950035e in mrb_run vm.c:2603
    #53 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #54 0x1094fa677 in mrb_funcall_argv vm.c:461
    #55 0x10944bef2 in mrb_method_missing kernel.c:926
    #56 0x109511035 in mrb_vm_exec vm.c:1225
    #57 0x109507619 in mrb_vm_run vm.c:823
    #58 0x10950035e in mrb_run vm.c:2603
    #59 0x109536cda in ecall vm.c:312
    #60 0x10951b8ec in mrb_vm_exec vm.c:1682
    #61 0x109507619 in mrb_vm_run vm.c:823
    #62 0x10950035e in mrb_run vm.c:2603
    #63 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #64 0x1094fa677 in mrb_funcall_argv vm.c:461
    #65 0x10944bef2 in mrb_method_missing kernel.c:926
    #66 0x109511035 in mrb_vm_exec vm.c:1225
    #67 0x109507619 in mrb_vm_run vm.c:823
    #68 0x10950035e in mrb_run vm.c:2603
    #69 0x109536cda in ecall vm.c:312
    #70 0x10951b8ec in mrb_vm_exec vm.c:1682
    #71 0x109507619 in mrb_vm_run vm.c:823
    #72 0x10950035e in mrb_run vm.c:2603
    #73 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #74 0x1094fa677 in mrb_funcall_argv vm.c:461
    #75 0x10944bef2 in mrb_method_missing kernel.c:926
    #76 0x109511035 in mrb_vm_exec vm.c:1225
    #77 0x109507619 in mrb_vm_run vm.c:823
    #78 0x10950035e in mrb_run vm.c:2603
    #79 0x109536cda in ecall vm.c:312
    #80 0x10951b8ec in mrb_vm_exec vm.c:1682
    #81 0x109507619 in mrb_vm_run vm.c:823
    #82 0x10950035e in mrb_run vm.c:2603
    #83 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #84 0x1094fa677 in mrb_funcall_argv vm.c:461
    #85 0x10944bef2 in mrb_method_missing kernel.c:926
    #86 0x109511035 in mrb_vm_exec vm.c:1225
    #87 0x109507619 in mrb_vm_run vm.c:823
    #88 0x10950035e in mrb_run vm.c:2603
    #89 0x109536cda in ecall vm.c:312
    #90 0x10951b8ec in mrb_vm_exec vm.c:1682
    #91 0x109507619 in mrb_vm_run vm.c:823
    #92 0x10950035e in mrb_run vm.c:2603
    #93 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #94 0x1094fa677 in mrb_funcall_argv vm.c:461
    #95 0x10944bef2 in mrb_method_missing kernel.c:926
    #96 0x109511035 in mrb_vm_exec vm.c:1225
    #97 0x109507619 in mrb_vm_run vm.c:823
    #98 0x10950035e in mrb_run vm.c:2603
    #99 0x109536cda in ecall vm.c:312
    #100 0x10951b8ec in mrb_vm_exec vm.c:1682
    #101 0x109507619 in mrb_vm_run vm.c:823
    #102 0x10950035e in mrb_run vm.c:2603
    #103 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #104 0x1094fa677 in mrb_funcall_argv vm.c:461
    #105 0x10944bef2 in mrb_method_missing kernel.c:926
    #106 0x109511035 in mrb_vm_exec vm.c:1225
    #107 0x109507619 in mrb_vm_run vm.c:823
    #108 0x10950035e in mrb_run vm.c:2603
    #109 0x109536cda in ecall vm.c:312
    #110 0x10951b8ec in mrb_vm_exec vm.c:1682
    #111 0x109507619 in mrb_vm_run vm.c:823
    #112 0x10950035e in mrb_run vm.c:2603
    #113 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #114 0x1094fa677 in mrb_funcall_argv vm.c:461
    #115 0x10944bef2 in mrb_method_missing kernel.c:926
    #116 0x109511035 in mrb_vm_exec vm.c:1225
    #117 0x109507619 in mrb_vm_run vm.c:823
    #118 0x10950035e in mrb_run vm.c:2603
    #119 0x109536cda in ecall vm.c:312
    #120 0x10951b8ec in mrb_vm_exec vm.c:1682
    #121 0x109507619 in mrb_vm_run vm.c:823
    #122 0x10950035e in mrb_run vm.c:2603
    #123 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #124 0x1094fa677 in mrb_funcall_argv vm.c:461
    #125 0x10944bef2 in mrb_method_missing kernel.c:926
    #126 0x109511035 in mrb_vm_exec vm.c:1225
    #127 0x109507619 in mrb_vm_run vm.c:823
    #128 0x10950035e in mrb_run vm.c:2603
    #129 0x109536cda in ecall vm.c:312
    #130 0x10951b8ec in mrb_vm_exec vm.c:1682
    #131 0x109507619 in mrb_vm_run vm.c:823
    #132 0x10950035e in mrb_run vm.c:2603
    #133 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #134 0x1094fa677 in mrb_funcall_argv vm.c:461
    #135 0x10944bef2 in mrb_method_missing kernel.c:926
    #136 0x109511035 in mrb_vm_exec vm.c:1225
    #137 0x109507619 in mrb_vm_run vm.c:823
    #138 0x10950035e in mrb_run vm.c:2603
    #139 0x109536cda in ecall vm.c:312
    #140 0x10951b8ec in mrb_vm_exec vm.c:1682
    #141 0x109507619 in mrb_vm_run vm.c:823
    #142 0x10950035e in mrb_run vm.c:2603
    #143 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #144 0x1094fa677 in mrb_funcall_argv vm.c:461
    #145 0x10944bef2 in mrb_method_missing kernel.c:926
    #146 0x109511035 in mrb_vm_exec vm.c:1225
    #147 0x109507619 in mrb_vm_run vm.c:823
    #148 0x10950035e in mrb_run vm.c:2603
    #149 0x109536cda in ecall vm.c:312
    #150 0x10951b8ec in mrb_vm_exec vm.c:1682
    #151 0x109507619 in mrb_vm_run vm.c:823
    #152 0x10950035e in mrb_run vm.c:2603
    #153 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #154 0x1094fa677 in mrb_funcall_argv vm.c:461
    #155 0x10944bef2 in mrb_method_missing kernel.c:926
    #156 0x109511035 in mrb_vm_exec vm.c:1225
    #157 0x109507619 in mrb_vm_run vm.c:823
    #158 0x10950035e in mrb_run vm.c:2603
    #159 0x109536cda in ecall vm.c:312
    #160 0x10951b8ec in mrb_vm_exec vm.c:1682
    #161 0x109507619 in mrb_vm_run vm.c:823
    #162 0x10950035e in mrb_run vm.c:2603
    #163 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #164 0x1094fa677 in mrb_funcall_argv vm.c:461
    #165 0x10944bef2 in mrb_method_missing kernel.c:926
    #166 0x109511035 in mrb_vm_exec vm.c:1225
    #167 0x109507619 in mrb_vm_run vm.c:823
    #168 0x10950035e in mrb_run vm.c:2603
    #169 0x109536cda in ecall vm.c:312
    #170 0x10951b8ec in mrb_vm_exec vm.c:1682
    #171 0x109507619 in mrb_vm_run vm.c:823
    #172 0x10950035e in mrb_run vm.c:2603
    #173 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #174 0x1094fa677 in mrb_funcall_argv vm.c:461
    #175 0x10944bef2 in mrb_method_missing kernel.c:926
    #176 0x109511035 in mrb_vm_exec vm.c:1225
    #177 0x109507619 in mrb_vm_run vm.c:823
    #178 0x10950035e in mrb_run vm.c:2603
    #179 0x109536cda in ecall vm.c:312
    #180 0x10951b8ec in mrb_vm_exec vm.c:1682
    #181 0x109507619 in mrb_vm_run vm.c:823
    #182 0x10950035e in mrb_run vm.c:2603
    #183 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #184 0x1094fa677 in mrb_funcall_argv vm.c:461
    #185 0x10944bef2 in mrb_method_missing kernel.c:926
    #186 0x109511035 in mrb_vm_exec vm.c:1225
    #187 0x109507619 in mrb_vm_run vm.c:823
    #188 0x1095398f9 in mrb_top_run vm.c:2614
    #189 0x10960a7a5 in mrb_load_exec parse.y:5760
    #190 0x10960b5b5 in mrb_load_file_cxt parse.y:5769
    #191 0x1093a5066 in main mruby.c:227
    #192 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x62200001aa50 is located 4432 bytes inside of 4960-byte region [0x622000019900,0x62200001ac60)
freed by thread T0 here:
    #0 0x10a31a520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10949c885 in mrb_default_allocf state.c:60
    #2 0x10941e528 in mrb_realloc_simple gc.c:201
    #3 0x10941ec0e in mrb_realloc gc.c:215
    #4 0x1094ff4f9 in cipush vm.c:239
    #5 0x109516056 in mrb_vm_exec vm.c:1417
    #6 0x109507619 in mrb_vm_run vm.c:823
    #7 0x10950035e in mrb_run vm.c:2603
    #8 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #9 0x1094fa677 in mrb_funcall_argv vm.c:461
    #10 0x1093e2985 in mrb_obj_new class.c:1429
    #11 0x10940d019 in raise_va error.c:392
    #12 0x10940d4e6 in mrb_name_error error.c:413
    #13 0x1093f8cd1 in mrb_mod_const_missing class.c:2189
    #14 0x1094fd8a5 in mrb_funcall_with_block vm.c:444
    #15 0x1094fa677 in mrb_funcall_argv vm.c:461
    #16 0x1094f279e in const_get variable.c:913
    #17 0x1094f3102 in mrb_vm_const_get variable.c:953
    #18 0x10950b7f7 in mrb_vm_exec vm.c:988
    #19 0x109507619 in mrb_vm_run vm.c:823
    #20 0x10950035e in mrb_run vm.c:2603
    #21 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #22 0x1094fa677 in mrb_funcall_argv vm.c:461
    #23 0x10944bef2 in mrb_method_missing kernel.c:926
    #24 0x109511035 in mrb_vm_exec vm.c:1225
    #25 0x109507619 in mrb_vm_run vm.c:823
    #26 0x10950035e in mrb_run vm.c:2603
    #27 0x109536cda in ecall vm.c:312
    #28 0x10951b8ec in mrb_vm_exec vm.c:1682
    #29 0x109507619 in mrb_vm_run vm.c:823

previously allocated by thread T0 here:
    #0 0x10a31a520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10949c885 in mrb_default_allocf state.c:60
    #2 0x10941e528 in mrb_realloc_simple gc.c:201
    #3 0x10941ec0e in mrb_realloc gc.c:215
    #4 0x1094ff4f9 in cipush vm.c:239
    #5 0x109516056 in mrb_vm_exec vm.c:1417
    #6 0x109507619 in mrb_vm_run vm.c:823
    #7 0x10950035e in mrb_run vm.c:2603
    #8 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #9 0x1094fa677 in mrb_funcall_argv vm.c:461
    #10 0x1093e2985 in mrb_obj_new class.c:1429
    #11 0x10940d019 in raise_va error.c:392
    #12 0x10940d4e6 in mrb_name_error error.c:413
    #13 0x1093f8cd1 in mrb_mod_const_missing class.c:2189
    #14 0x1094fd8a5 in mrb_funcall_with_block vm.c:444
    #15 0x1094fa677 in mrb_funcall_argv vm.c:461
    #16 0x1094f279e in const_get variable.c:913
    #17 0x1094f3102 in mrb_vm_const_get variable.c:953
    #18 0x10950b7f7 in mrb_vm_exec vm.c:988
    #19 0x109507619 in mrb_vm_run vm.c:823
    #20 0x10950035e in mrb_run vm.c:2603
    #21 0x1094fdca7 in mrb_funcall_with_block vm.c:451
    #22 0x1094fa677 in mrb_funcall_argv vm.c:461
    #23 0x10944bef2 in mrb_method_missing kernel.c:926
    #24 0x109511035 in mrb_vm_exec vm.c:1225
    #25 0x109507619 in mrb_vm_run vm.c:823
    #26 0x10950035e in mrb_run vm.c:2603
    #27 0x109536cda in ecall vm.c:312
    #28 0x10951b8ec in mrb_vm_exec vm.c:1682
    #29 0x109507619 in mrb_vm_run vm.c:823

SUMMARY: AddressSanitizer: heap-use-after-free vm.c:1681 in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c44000034f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4400003500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4400003510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4400003520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4400003530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c4400003540: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x1c4400003550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4400003560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4400003570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c4400003580: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x1c4400003590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9583==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic and Denis Kasak (https://hackerone.com/dgaletic).

@matz matz closed this in f5632f2 Apr 3, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment