New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in mrb_funcall_with_block #3606

Closed
clayton-shopify opened this Issue Apr 12, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 12, 2017

The following input demonstrates a crash:

c=Hash.new{|s|s[0]==0}.default(0)

Crash location:

   436 	    if (ci->argc > 0) {
   437 	      stack_copy(mrb->c->stack+1, argv, argc);
   438 	    }
-> 439 	    mrb->c->stack[argc+1] = blk;
   440
   441 	    if (MRB_PROC_CFUNC_P(p)) {
   442 	      int ai = mrb_gc_arena_save(mrb);

Stack trace:

* thread #1, queue = 'com.apple.main-thread', stop reason = Heap buffer overflow
  * frame #0: 0x00000001004a3940 libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie()
    frame #1: 0x00000001004ba248 libclang_rt.asan_osx_dynamic.dylib`__sanitizer::Die() + 88
    frame #2: 0x00000001004a1207 libclang_rt.asan_osx_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 311
    frame #3: 0x00000001004a0c9a libclang_rt.asan_osx_dynamic.dylib`__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 410
    frame #4: 0x00000001004934f7 libclang_rt.asan_osx_dynamic.dylib`__asan_memcpy + 1367
    frame #5: 0x000000010015c506 mruby`mrb_funcall_with_block(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fb348e0, mid=116, argc=2, argv=0x00007fff5fb34e40, blk=mrb_value @ 0x00007fff5fb33ff0) at vm.c:439
    frame #6: 0x0000000100159728 mruby`mrb_funcall_argv(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fb34c20, mid=116, argc=2, argv=0x00007fff5fb34e40) at vm.c:462
    frame #7: 0x000000010015919f mruby`mrb_funcall(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fb34e20, name="call", argc=2) at vm.c:346
    frame #8: 0x0000000100092c49 mruby`hash_default(mrb=0x000061400000a440, hash=mrb_value @ 0x00007fff5fb35360, key=mrb_value @ 0x00007fff5fb35380) at hash.c:382
    frame #9: 0x00000001000916c7 mruby`mrb_hash_get(mrb=0x000061400000a440, hash=mrb_value @ 0x00007fff5fb35660, key=mrb_value @ 0x00007fff5fb35680) at hash.c:180
    frame #10: 0x0000000100098ff5 mruby`mrb_hash_aget(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fb35960) at hash.c:374
    frame #11: 0x00000001001712d5 mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000002140, pc=0x000060300000b0bc) at vm.c:1272
    frame #12: 0x000000010016651a mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f00000a480, self=mrb_value @ 0x00007fff5fb3d640, stack_keep=4) at vm.c:827
    frame #13: 0x000000010015f1cf mruby`mrb_run(mrb=0x000061400000a440, proc=0x000062f00000a480, self=mrb_value @ 0x00007fff5fb3d840) at vm.c:2640
    frame #14: 0x000000010015cb55 mruby`mrb_funcall_with_block(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fb3e340, mid=116, argc=2, argv=0x00007fff5fb3e8a0, blk=mrb_value @ 0x00007fff5fb3da50) at vm.c:452
    frame #15: 0x0000000100159728 mruby`mrb_funcall_argv(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fb3e680, mid=116, argc=2, argv=0x00007fff5fb3e8a0) at vm.c:462
    frame #16: 0x000000010015919f mruby`mrb_funcall(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fb3e880, name="call", argc=2) at vm.c:346
    frame #17: 0x0000000100092c49 mruby`hash_default(mrb=0x000061400000a440, hash=mrb_value @ 0x00007fff5fb3edc0, key=mrb_value @ 0x00007fff5fb3ede0) at hash.c:382
    frame #18: 0x00000001000916c7 mruby`mrb_hash_get(mrb=0x000061400000a440, hash=mrb_value @ 0x00007fff5fb3f0c0, key=mrb_value @ 0x00007fff5fb3f0e0) at hash.c:180
    frame #19: 0x0000000100098ff5 mruby`mrb_hash_aget(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fb3f3c0) at hash.c:374
    frame #20: 0x00000001001712d5 mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000002140, pc=0x000060300000b0bc) at vm.c:1272
    ...

ASAN report:

==63712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001de80 at pc 0x00010b2a84ca bp 0x7fff54c9a010 sp 0x7fff54c997c0
WRITE of size 16 at 0x61d00001de80 thread T0
    #0 0x10b2a84c9 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9)
    #1 0x10aff6505 in mrb_funcall_with_block (mruby:x86_64+0x10015c505)
    #2 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #3 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #4 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #5 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #6 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #7 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #8 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #9 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #10 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #11 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #12 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #13 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #14 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #15 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #16 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #17 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #18 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #19 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #20 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #21 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #22 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #23 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #24 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #25 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #26 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #27 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #28 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #29 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #30 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #31 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #32 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #33 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #34 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #35 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #36 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #37 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #38 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #39 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #40 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #41 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #42 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #43 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #44 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #45 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #46 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #47 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #48 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #49 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #50 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #51 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #52 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #53 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #54 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #55 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #56 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #57 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #58 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #59 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #60 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #61 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #62 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #63 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #64 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #65 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #66 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #67 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #68 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #69 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #70 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #71 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #72 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #73 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #74 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #75 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #76 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #77 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #78 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #79 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #80 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #81 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #82 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #83 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #84 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #85 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #86 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #87 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #88 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #89 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #90 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #91 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #92 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #93 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #94 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #95 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #96 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #97 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #98 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #99 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #100 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #101 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #102 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #103 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #104 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #105 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #106 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #107 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #108 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #109 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #110 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #111 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #112 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #113 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #114 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #115 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #116 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #117 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #118 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #119 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #120 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #121 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #122 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #123 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #124 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #125 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #126 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #127 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #128 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #129 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #130 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #131 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #132 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #133 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #134 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #135 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #136 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #137 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #138 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #139 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #140 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #141 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #142 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #143 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #144 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #145 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #146 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #147 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #148 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #149 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #150 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #151 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #152 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #153 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #154 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #155 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #156 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #157 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #158 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #159 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #160 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #161 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #162 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #163 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #164 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #165 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #166 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #167 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #168 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #169 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #170 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #171 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #172 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #173 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #174 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #175 0x10af2cc48 in hash_default (mruby:x86_64+0x100092c48)
    #176 0x10af2b6c6 in mrb_hash_get (mruby:x86_64+0x1000916c6)
    #177 0x10af32ff4 in mrb_hash_aget (mruby:x86_64+0x100098ff4)
    #178 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #179 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #180 0x10aff91ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #181 0x10aff6b54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #182 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #183 0x10aff319e in mrb_funcall (mruby:x86_64+0x10015919e)
    #184 0x10af2c175 in mrb_hash_default (mruby:x86_64+0x100092175)
    #185 0x10b00b2d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #186 0x10b000519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #187 0x10b032f89 in mrb_top_run (mruby:x86_64+0x100198f89)
    #188 0x10b104ca5 in mrb_load_exec (mruby:x86_64+0x10026aca5)
    #189 0x10b1055f5 in mrb_load_file_cxt (mruby:x86_64+0x10026b5f5)
    #190 0x10ae9c906 in main mruby.c:227
    #191 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x61d00001de80 is located 0 bytes to the right of 2048-byte region [0x61d00001d680,0x61d00001de80)
allocated by thread T0 here:
    #0 0x10b2b1520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10af95235 in mrb_default_allocf (mruby:x86_64+0x1000fb235)
    #2 0x10af16578 in mrb_realloc_simple gc.c:202
    #3 0x10af16c5e in mrb_realloc gc.c:216
    #4 0x10af176e3 in mrb_malloc gc.c:237
    #5 0x10af1777d in mrb_calloc gc.c:255
    #6 0x10aff7442 in stack_init (mruby:x86_64+0x10015d442)
    #7 0x10aff4600 in mrb_funcall_with_block (mruby:x86_64+0x10015a600)
    #8 0x10aff3f3a in mrb_funcall_with_block (mruby:x86_64+0x100159f3a)
    #9 0x10aff3727 in mrb_funcall_argv (mruby:x86_64+0x100159727)
    #10 0x10aeda9b5 in mrb_obj_new (mruby:x86_64+0x1000409b5)
    #11 0x10aeff52d in mrb_exc_new_str (mruby:x86_64+0x10006552d)
    #12 0x10af092f7 in mrb_init_exception (mruby:x86_64+0x10006f2f7)
    #13 0x10af3a320 in mrb_init_core (mruby:x86_64+0x1000a0320)
    #14 0x10af951ce in mrb_open_core (mruby:x86_64+0x1000fb1ce)
    #15 0x10af9539c in mrb_open_allocf (mruby:x86_64+0x1000fb39c)
    #16 0x10af95367 in mrb_open (mruby:x86_64+0x1000fb367)
    #17 0x10ae9b818 in main mruby.c:171
    #18 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3a00003b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3a00003bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c3a00003bd0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==63712==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ston3

@matz matz closed this in 045e78c Apr 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment