New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in OP_SUPER #3560

Closed
clayton-shopify opened this Issue Mar 28, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@clayton-shopify
Contributor

clayton-shopify commented Mar 28, 2017

The following input demonstrates a crash:

class M
def M.new(r)
    super
    new(0)
    end
end
M.new(0)

ASAN report:

==10518==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00001de40 at pc 0x000106fcc4ca bp 0x7fff5902f750 sp 0x7fff5902ef00
WRITE of size 16 at 0x61d00001de40 thread T0
    #0 0x106fcc4c9 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9)
    #1 0x106d3b021 in mrb_vm_exec vm.c:1454
    #2 0x106d2b619 in mrb_vm_run vm.c:823
    #3 0x106d5d8f9 in mrb_top_run vm.c:2614
    #4 0x106e2e7a5 in mrb_load_exec parse.y:5760
    #5 0x106e2f5b5 in mrb_load_file_cxt parse.y:5769
    #6 0x106bc9066 in main mruby.c:227
    #7 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x61d00001de40 is located 1984 bytes inside of 2048-byte region [0x61d00001d680,0x61d00001de80)
freed by thread T0 here:
    #0 0x106fd5520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x106cc0885 in mrb_default_allocf state.c:60
    #2 0x106c42528 in mrb_realloc_simple gc.c:201
    #3 0x106c42c0e in mrb_realloc gc.c:215
    #4 0x106d5e371 in stack_extend_alloc vm.c:161
    #5 0x106d23a87 in stack_extend vm.c:181
    #6 0x106d207c4 in mrb_funcall_with_block vm.c:409
    #7 0x106c05b79 in mrb_instance_new class.c:1415
    #8 0x106d3af22 in mrb_vm_exec vm.c:1454
    #9 0x106d2b619 in mrb_vm_run vm.c:823
    #10 0x106d5d8f9 in mrb_top_run vm.c:2614
    #11 0x106e2e7a5 in mrb_load_exec parse.y:5760
    #12 0x106e2f5b5 in mrb_load_file_cxt parse.y:5769
    #13 0x106bc9066 in main mruby.c:227
    #14 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x106fd5520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x106cc0885 in mrb_default_allocf state.c:60
    #2 0x106c42528 in mrb_realloc_simple gc.c:201
    #3 0x106c42c0e in mrb_realloc gc.c:215
    #4 0x106c43693 in mrb_malloc gc.c:236
    #5 0x106c4372d in mrb_calloc gc.c:254
    #6 0x106d225b2 in stack_init vm.c:97
    #7 0x106d1f51f in mrb_funcall_with_block vm.c:376
    #8 0x106d1ee97 in mrb_funcall_with_block vm.c:354
    #9 0x106d1e677 in mrb_funcall_argv vm.c:461
    #10 0x106c06985 in mrb_obj_new class.c:1429
    #11 0x106c2b4dd in mrb_exc_new_str error.c:32
    #12 0x106c352a7 in mrb_init_exception error.c:553
    #13 0x106c65f00 in mrb_init_core init.c:41
    #14 0x106cc081e in mrb_open_core state.c:47
    #15 0x106cc09ec in mrb_open_allocf state.c:107
    #16 0x106cc09b7 in mrb_open state.c:99
    #17 0x106bc7f78 in main mruby.c:171
    #18 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3a00003b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3a00003bc0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x1c3a00003bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10518==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/mg36

@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Apr 1, 2017

Member

Cannot reproduce the issue as of 8d9d7c9

Member

matz commented Apr 1, 2017

Cannot reproduce the issue as of 8d9d7c9

@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Apr 1, 2017

Member

No, I could reproduce the issue.

Member

matz commented Apr 1, 2017

No, I could reproduce the issue.

@matz matz closed this in 1e87dfd Apr 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment