New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in mrb_env_unshare #3601

Closed
clayton-shopify opened this Issue Apr 11, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 11, 2017

The following input demonstrates a crash:

def a
  yield
ensure
  GC.start
  lambda { return }.call
end
a { return }.call

ASAN report:

==90441==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00000f070 at pc 0x000100d64f4e bp 0x7fff5efe9500 sp 0x7fff5efe94f8
READ of size 4 at 0x61e00000f070 thread T0
    #0 0x100d64f4d in mrb_env_unshare (mruby:x86_64+0x100157f4d)
    #1 0x100d694d2 in cipop (mruby:x86_64+0x10015c4d2)
    #2 0x100d86b80 in mrb_vm_exec (mruby:x86_64+0x100179b80)
    #3 0x100d72ad9 in mrb_vm_run (mruby:x86_64+0x100165ad9)
    #4 0x100da5549 in mrb_top_run (mruby:x86_64+0x100198549)
    #5 0x100e76805 in mrb_load_exec (mruby:x86_64+0x100269805)
    #6 0x100e77615 in mrb_load_file_cxt (mruby:x86_64+0x10026a615)
    #7 0x100c0f2e6 in main mruby.c:227
    #8 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x61e00000f070 is located 16 bytes to the left of 2560-byte region [0x61e00000f080,0x61e00000fa80)
allocated by thread T0 here:
    #0 0x10101e520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x100d078a5 in mrb_default_allocf (mruby:x86_64+0x1000fa8a5)
    #2 0x100c88be8 in mrb_realloc_simple gc.c:202
    #3 0x100c892ce in mrb_realloc gc.c:216
    #4 0x100c89d53 in mrb_malloc gc.c:237
    #5 0x100c89ded in mrb_calloc gc.c:255
    #6 0x100d69b55 in stack_init (mruby:x86_64+0x10015cb55)
    #7 0x100d66bd7 in mrb_funcall_with_block (mruby:x86_64+0x100159bd7)
    #8 0x100d6655a in mrb_funcall_with_block (mruby:x86_64+0x10015955a)
    #9 0x100d65d47 in mrb_funcall_argv (mruby:x86_64+0x100158d47)
    #10 0x100c4d045 in mrb_obj_new (mruby:x86_64+0x100040045)
    #11 0x100c71b9d in mrb_exc_new_str (mruby:x86_64+0x100064b9d)
    #12 0x100c7b967 in mrb_init_exception (mruby:x86_64+0x10006e967)
    #13 0x100cac990 in mrb_init_core (mruby:x86_64+0x10009f990)
    #14 0x100d0783e in mrb_open_core (mruby:x86_64+0x1000fa83e)
    #15 0x100d07a0c in mrb_open_allocf (mruby:x86_64+0x1000faa0c)
    #16 0x100d079d7 in mrb_open (mruby:x86_64+0x1000fa9d7)
    #17 0x100c0e1f8 in main mruby.c:171
    #18 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (mruby:x86_64+0x100157f4d) in mrb_env_unshare
Shadow bytes around the buggy address:
  0x1c3c00001db0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001dc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3c00001de0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x1c3c00001df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c3c00001e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
  0x1c3c00001e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3c00001e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3c00001e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3c00001e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3c00001e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==90441==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

@matz matz closed this in 0fb05eb Apr 12, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment