New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in kh_put_iv #3587

Closed
clayton-shopify opened this Issue Apr 4, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 4, 2017

The following input demonstrates a crash:

class Gryeding
  @@text = nil
  class <<#seSUMER_KEY = 'tesT'
SITE         = 'https://test.jira.cox'

odgf te@@text = nil
  class <<#seSUMER_KEY = 'tesT'
SITE         = 'https://test.jira.cox'

odgf text
!   @@text
  end
endxt
!   @@text
  end
end

Greeding.text= "hello world"
puts Greedmng.new.text

ASAN report:

==62698==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001046b023d bp 0x7fff5b688130 sp 0x7fff5b687ed0 T0)
==62698==The signal is caused by a READ memory access.
==62698==Hint: address points to the zero page.
    #0 0x1046b023c in kh_put_iv (mruby:x86_64+0x10014223c)
    #1 0x1046b3dae in iv_put (mruby:x86_64+0x100145dae)
    #2 0x1046bc157 in mrb_mod_cv_set (mruby:x86_64+0x10014e157)
    #3 0x1046bd1c3 in mrb_vm_cv_set (mruby:x86_64+0x10014f1c3)
    #4 0x1046d6eb1 in mrb_vm_exec (mruby:x86_64+0x100168eb1)
    #5 0x1046d2f49 in mrb_vm_run (mruby:x86_64+0x100164f49)
    #6 0x104705859 in mrb_top_run (mruby:x86_64+0x100197859)
    #7 0x1047d6845 in mrb_load_exec (mruby:x86_64+0x100268845)
    #8 0x1047d7655 in mrb_load_file_cxt (mruby:x86_64+0x100269655)
    #9 0x10456fe76 in main mruby.c:227
    #10 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

==62698==Register values:
rax = 0x0000000000000000  rbx = 0x00007fff5b688180  rcx = 0x2f2f3a7370747470  rdx = 0x00000000000002a2
rdi = 0x0000100000000000  rsi = 0x05e5f74e6e0e8e8e  rbp = 0x00007fff5b688130  rsp = 0x00007fff5b687ed0
 r8 = 0x00000000000002a2   r9 = 0x2f2f3a7370747468  r10 = 0x00000001056f4a48  r11 = 0xa5e89a42d37c00ef
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffeb6d1e88  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby:x86_64+0x10014223c) in kh_put_iv
==62698==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ilsani

@matz matz closed this in 9094415 Apr 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment