New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in OP_SEND #3582

Closed
clayton-shopify opened this Issue Apr 3, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@clayton-shopify
Contributor

clayton-shopify commented Apr 3, 2017

The following input demonstrates a crash:

def method_missing(meth,*args)
  yield(meth,args)
end

enum_for.next

ASAN report:

==56997==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010967b5b1 bp 0x7fff566f3170 sp 0x7fff566eb660 T0)
==56997==The signal is caused by a READ memory access.
==56997==Hint: address points to the zero page.
    #0 0x10967b5b0 in mrb_vm_exec vm.c:1290
    #1 0x10966ff49 in mrb_vm_run vm.c:824
    #2 0x1096a2859 in mrb_top_run vm.c:2630
    #3 0x109773845 in mrb_load_exec parse.y:5762
    #4 0x109774655 in mrb_load_file_cxt parse.y:5771
    #5 0x10950ce76 in main mruby.c:227
    #6 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

==56997==Register values:
rax = 0x0000000109822060  rbx = 0xf2f20000f2f2f200  rcx = 0x0000000000000000  rdx = 0x000062f000007200
rdi = 0x0000100000000000  rsi = 0x000062f0000072a0  rbp = 0x00007fff566f3170  rsp = 0x00007fff566eb660
 r8 = 0x000000010000000e   r9 = 0x000000000000000e  r10 = 0x0000000000000000  r11 = 0xfffffe5000001a50
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffeacde484  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vm.c:1290 in mrb_vm_exec
==56997==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ston3

@matz matz closed this in 03c8493 Apr 10, 2017

@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Apr 10, 2017

Member

Crash was fixed. The resulting behavior is different from CRuby though.

Member

matz commented Apr 10, 2017

Crash was fixed. The resulting behavior is different from CRuby though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment