New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in OP_RETURN #3589

Closed
clayton-shopify opened this Issue Apr 4, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 4, 2017

The following input demonstrates a crash:

def f(n)
    undef w
ensure
    begin
        f(n-1) if n > 0
    rescue
    end
end
f(15)

ASAN report:

==64053==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e00000f8c0 at pc 0x000103e4680f bp 0x7fff5bebec10 sp 0x7fff5bebec08
READ of size 4 at 0x61e00000f8c0 thread T0
    #0 0x103e4680e in mrb_vm_exec (mruby:x86_64+0x10017980e)
    #1 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #2 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #3 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #4 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #5 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #6 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #7 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #8 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #9 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #10 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #11 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #12 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #13 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #14 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #15 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #16 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #17 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #18 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #19 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #20 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #21 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #22 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #23 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #24 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #25 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #26 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #27 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #28 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #29 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #30 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #31 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #32 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #33 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #34 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #35 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #36 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #37 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #38 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #39 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #40 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #41 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #42 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #43 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #44 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #45 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #46 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #47 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #48 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #49 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #50 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #51 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #52 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #53 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #54 0x103e64849 in mrb_top_run (mruby:x86_64+0x100197849)
    #55 0x103f35845 in mrb_load_exec (mruby:x86_64+0x100268845)
    #56 0x103f36655 in mrb_load_file_cxt (mruby:x86_64+0x100269655)
    #57 0x103ccee66 in main mruby.c:227
    #58 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x61e00000f8c0 is located 2112 bytes inside of 2560-byte region [0x61e00000f080,0x61e00000fa80)
freed by thread T0 here:
    #0 0x1040e3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x103dc6cf5 in mrb_default_allocf (mruby:x86_64+0x1000f9cf5)
    #2 0x103d484f8 in mrb_realloc_simple gc.c:202
    #3 0x103d48bde in mrb_realloc gc.c:216
    #4 0x103e29d99 in cipush (mruby:x86_64+0x10015cd99)
    #5 0x103e40e4e in mrb_vm_exec (mruby:x86_64+0x100173e4e)
    #6 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #7 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #8 0x103e28547 in mrb_funcall_with_block (mruby:x86_64+0x10015b547)
    #9 0x103e24f17 in mrb_funcall_argv (mruby:x86_64+0x100157f17)
    #10 0x103d0c955 in mrb_obj_new (mruby:x86_64+0x10003f955)
    #11 0x103d36fe9 in raise_va (mruby:x86_64+0x100069fe9)
    #12 0x103d374b6 in mrb_name_error (mruby:x86_64+0x10006a4b6)
    #13 0x103d1172b in undef_method (mruby:x86_64+0x10004472b)
    #14 0x103d20bc0 in mrb_mod_undef (mruby:x86_64+0x100053bc0)
    #15 0x103e3cd88 in mrb_vm_exec (mruby:x86_64+0x10016fd88)
    #16 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #17 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #18 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #19 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #20 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #21 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #22 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #23 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #24 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #25 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)
    #26 0x103e61cee in ecall (mruby:x86_64+0x100194cee)
    #27 0x103e46845 in mrb_vm_exec (mruby:x86_64+0x100179845)
    #28 0x103e31f39 in mrb_vm_run (mruby:x86_64+0x100164f39)
    #29 0x103e2abfe in mrb_run (mruby:x86_64+0x10015dbfe)

previously allocated by thread T0 here:
    #0 0x1040e3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x103dc6cf5 in mrb_default_allocf (mruby:x86_64+0x1000f9cf5)
    #2 0x103d484f8 in mrb_realloc_simple gc.c:202
    #3 0x103d48bde in mrb_realloc gc.c:216
    #4 0x103d49663 in mrb_malloc gc.c:237
    #5 0x103d496fd in mrb_calloc gc.c:255
    #6 0x103e28fa5 in stack_init (mruby:x86_64+0x10015bfa5)
    #7 0x103e25dbf in mrb_funcall_with_block (mruby:x86_64+0x100158dbf)
    #8 0x103e25737 in mrb_funcall_with_block (mruby:x86_64+0x100158737)
    #9 0x103e24f17 in mrb_funcall_argv (mruby:x86_64+0x100157f17)
    #10 0x103d0c955 in mrb_obj_new (mruby:x86_64+0x10003f955)
    #11 0x103d314ad in mrb_exc_new_str (mruby:x86_64+0x1000644ad)
    #12 0x103d3b277 in mrb_init_exception (mruby:x86_64+0x10006e277)
    #13 0x103d6c0e0 in mrb_init_core (mruby:x86_64+0x10009f0e0)
    #14 0x103dc6c8e in mrb_open_core (mruby:x86_64+0x1000f9c8e)
    #15 0x103dc6e5c in mrb_open_allocf (mruby:x86_64+0x1000f9e5c)
    #16 0x103dc6e27 in mrb_open (mruby:x86_64+0x1000f9e27)
    #17 0x103ccdd78 in main mruby.c:171
    #18 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free (mruby:x86_64+0x10017980e) in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c3c00001ec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001ed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001ee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001ef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3c00001f10: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x1c3c00001f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3c00001f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==64053==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic).

@matz matz closed this in a55b237 Apr 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment