New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in OP_SEND #3605

Closed
clayton-shopify opened this Issue Apr 12, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 12, 2017

The following input demonstrates a crash:

class << Kernel
  sym = '`'.to_sym

  alias_method :old_cmd, sym

  define_method(sym) { `test`; x }

  `test`
end

t = `#{sym}`

ASAN report:

==45104==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001de88 at pc 0x000105b91386 bp 0x7fff5a1d4610 sp 0x7fff5a1d4608
WRITE of size 4 at 0x61d00001de88 thread T0
    #0 0x105b91385 in mrb_vm_exec (mruby:x86_64+0x10016f385)
    #1 0x105b88519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #2 0x105bbaf89 in mrb_top_run (mruby:x86_64+0x100198f89)
    #3 0x105c8cca5 in mrb_load_exec (mruby:x86_64+0x10026aca5)
    #4 0x105c8d5f5 in mrb_load_file_cxt (mruby:x86_64+0x10026b5f5)
    #5 0x105a24906 in main mruby.c:227
    #6 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x61d00001de88 is located 8 bytes to the right of 2048-byte region [0x61d00001d680,0x61d00001de80)
allocated by thread T0 here:
    #0 0x105e38520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x105b1d235 in mrb_default_allocf (mruby:x86_64+0x1000fb235)
    #2 0x105a9e578 in mrb_realloc_simple gc.c:202
    #3 0x105a9ec5e in mrb_realloc gc.c:216
    #4 0x105a9f6e3 in mrb_malloc gc.c:237
    #5 0x105a9f77d in mrb_calloc gc.c:255
    #6 0x105b7f442 in stack_init (mruby:x86_64+0x10015d442)
    #7 0x105b7c600 in mrb_funcall_with_block (mruby:x86_64+0x10015a600)
    #8 0x105b7bf3a in mrb_funcall_with_block (mruby:x86_64+0x100159f3a)
    #9 0x105b7b727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #10 0x105a629b5 in mrb_obj_new (mruby:x86_64+0x1000409b5)
    #11 0x105a8752d in mrb_exc_new_str (mruby:x86_64+0x10006552d)
    #12 0x105a912f7 in mrb_init_exception (mruby:x86_64+0x10006f2f7)
    #13 0x105ac2320 in mrb_init_core (mruby:x86_64+0x1000a0320)
    #14 0x105b1d1ce in mrb_open_core (mruby:x86_64+0x1000fb1ce)
    #15 0x105b1d39c in mrb_open_allocf (mruby:x86_64+0x1000fb39c)
    #16 0x105b1d367 in mrb_open (mruby:x86_64+0x1000fb367)
    #17 0x105a23818 in main mruby.c:171
    #18 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (mruby:x86_64+0x10016f385) in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c3a00003b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c3a00003bd0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==45104==ABORTING
Abort trap: 6

Debug:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = Heap buffer overflow
  * frame #0: 0x00000001004a3940 libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie()
    frame #1: 0x00000001004ba248 libclang_rt.asan_osx_dynamic.dylib`__sanitizer::Die() + 88
    frame #2: 0x00000001004a1207 libclang_rt.asan_osx_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 311
    frame #3: 0x00000001004a0c9a libclang_rt.asan_osx_dynamic.dylib`__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 410
    frame #4: 0x00000001004a1d8e libclang_rt.asan_osx_dynamic.dylib`__asan_report_store4 + 46
    frame #5: 0x000000010016f386 mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000001f90, pc=0x000060300000b0bc) at vm.c:1206
    frame #6: 0x000000010016651a mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000002080, self=mrb_value @ 0x00007fff5fbfe140, stack_keep=6) at vm.c:827
    frame #7: 0x0000000100198f8a mruby`mrb_top_run(mrb=0x000061400000a440, proc=0x000062f000002080, self=mrb_value @ 0x00007fff5fbfe340, stack_keep=0) at vm.c:2651
    frame #8: 0x000000010026aca6 mruby`mrb_load_exec(mrb=0x000061400000a440, p=0x000062800000c120, c=0x000060600000a040) at parse.y:5780
    frame #9: 0x000000010026b5f6 mruby`mrb_load_file_cxt(mrb=0x000061400000a440, f=0x00007fffc4ab40b0, c=0x000060600000a040) at parse.y:5789
    frame #10: 0x0000000100002907 mruby`main(argc=2, argv=0x00007fff5fbff4f0) at mruby.c:227
    frame #11: 0x00007fffbbbba235 libdyld.dylib`start + 1
(lldb) frame select 5
frame #5: 0x000000010016f386 mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000001f90, pc=0x000060300000b0bc) at vm.c:1206
   1203	        bidx = a+n+1;
   1204	      }
   1205	      if (GET_OPCODE(i) != OP_SENDB) {
-> 1206	        SET_NIL_VALUE(regs[bidx]);
   1207	      }
   1208	      else {
   1209	        mrb_value blk = regs[bidx];

This issue was reported by https://hackerone.com/bku

@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Apr 12, 2017

Contributor

https://hackerone.com/geeknik reported another input producing the same crash:

def`r
``end+``
Contributor

clayton-shopify commented Apr 12, 2017

https://hackerone.com/geeknik reported another input producing the same crash:

def`r
``end+``

@matz matz closed this in 3123549 Apr 12, 2017

matz added a commit that referenced this issue Apr 12, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment