New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in kh_get_iv #3602

Closed
clayton-shopify opened this Issue Apr 11, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 11, 2017

The following input demonstrates a crash:

class << "0"
  class M e
  end
end

ASAN report:

==99582==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x00010b1b02ff bp 0x7fff54b85a70 sp 0x7fff54b85990 T0)
==99582==The signal is caused by a READ memory access.
==99582==Hint: address points to the zero page.
    #0 0x10b1b02fe in kh_get_iv (mruby:x86_64+0x1001422fe)
    #1 0x10b1b30fe in iv_get (mruby:x86_64+0x1001450fe)
    #2 0x10b1b2f2a in mrb_obj_iv_get (mruby:x86_64+0x100144f2a)
    #3 0x10b0af9ac in mrb_class_path (mruby:x86_64+0x1000419ac)
    #4 0x10b0afd2e in mrb_class_path (mruby:x86_64+0x100041d2e)
    #5 0x10b0c02e2 in mrb_mod_to_s (mruby:x86_64+0x1000522e2)
    #6 0x10b1c9d10 in mrb_funcall_with_block (mruby:x86_64+0x10015bd10)
    #7 0x10b1c6d47 in mrb_funcall_argv (mruby:x86_64+0x100158d47)
    #8 0x10b117982 in mrb_method_missing (mruby:x86_64+0x1000a9982)
    #9 0x10b1dd889 in mrb_vm_exec (mruby:x86_64+0x10016f889)
    #10 0x10b1d3ad9 in mrb_vm_run (mruby:x86_64+0x100165ad9)
    #11 0x10b206549 in mrb_top_run (mruby:x86_64+0x100198549)
    #12 0x10b2d7805 in mrb_load_exec (mruby:x86_64+0x100269805)
    #13 0x10b2d8615 in mrb_load_file_cxt (mruby:x86_64+0x10026a615)
    #14 0x10b0702e6 in main mruby.c:227
    #15 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

==99582==Register values:
rax = 0x0000000000000030  rbx = 0x00007fff54b85b60  rcx = 0x0000100000000000  rdx = 0x0000000000000887
rdi = 0x0000100000000006  rsi = 0x0000000000000030  rbp = 0x00007fff54b85a70  rsp = 0x00007fff54b85990
 r8 = 0x00007fff54b85b00   r9 = 0x00000000000002a3  r10 = 0x000062f000002128  r11 = 0x00001c5e00000425
r12 = 0x00007fff54b85cc0  r13 = 0x00007fff54b85ce0  r14 = 0x0000100000000000  r15 = 0x00007fff54b85ca0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby:x86_64+0x1001422fe) in kh_get_iv
==99582==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic and Denis Kasak (https://hackerone.com/dgaletic).

@matz matz closed this in a25404c Apr 12, 2017

matz added a commit that referenced this issue Apr 12, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment