New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_struct_to_h #3607

Closed
clayton-shopify opened this Issue Apr 12, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 12, 2017

The following input demonstrates a crash:

Struct.new(:s) do
    def initialize
        to_h.a
    end
end.new

Debug:

Process 65801 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x00000001001cde9f mruby`mrb_struct_to_h(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fbed440) at struct.c:645
   642 	  ret = mrb_hash_new_capa(mrb, RARRAY_LEN(members));
   643
   644 	  for (i = 0; i < RARRAY_LEN(members); ++i) {
-> 645 	    mrb_hash_set(mrb, ret, RARRAY_PTR(members)[i], RSTRUCT_PTR(self)[i]);
   646 	  }
   647
   648 	  return ret;

(lldb) p self.tt
(mrb_vtype) $1 = MRB_TT_ARRAY

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001001cde9f mruby`mrb_struct_to_h(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fbed440) at struct.c:645
    frame #1: 0x00000001001712d5 mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000001f90, pc=0x000060300000b0b8) at vm.c:1272
    frame #2: 0x000000010016651a mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000001f90, self=mrb_value @ 0x00007fff5fbf52c0, stack_keep=4) at vm.c:827
    frame #3: 0x000000010015f1cf mruby`mrb_run(mrb=0x000061400000a440, proc=0x000062f000001f90, self=mrb_value @ 0x00007fff5fbf54c0) at vm.c:2640
    frame #4: 0x000000010015cb55 mruby`mrb_funcall_with_block(mrb=0x000061400000a440, self=mrb_value @ 0x00007fff5fbf5fc0, mid=8, argc=0, argv=0x0000000000000000, blk=mrb_value @ 0x00007fff5fbf56d0) at vm.c:452
    frame #5: 0x000000010003fbaa mruby`mrb_instance_new(mrb=0x000061400000a440, cv=mrb_value @ 0x00007fff5fbf6300) at class.c:1430
    frame #6: 0x00000001001712d5 mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000002170, pc=0x000060300000b060) at vm.c:1272
    frame #7: 0x000000010016651a mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000002170, self=mrb_value @ 0x00007fff5fbfe140, stack_keep=4) at vm.c:827
    frame #8: 0x0000000100198f8a mruby`mrb_top_run(mrb=0x000061400000a440, proc=0x000062f000002170, self=mrb_value @ 0x00007fff5fbfe340, stack_keep=0) at vm.c:2651
    frame #9: 0x000000010026aca6 mruby`mrb_load_exec(mrb=0x000061400000a440, p=0x000062800000c120, c=0x000060600000a040) at parse.y:5780
    frame #10: 0x000000010026b5f6 mruby`mrb_load_file_cxt(mrb=0x000061400000a440, f=0x00007fffc4ab40b0, c=0x000060600000a040) at parse.y:5789
    frame #11: 0x0000000100002907 mruby`main(argc=2, argv=0x00007fff5fbff4f0) at mruby.c:227
    frame #12: 0x00007fffbbbba235 libdyld.dylib`start + 1

ASAN report:

==65584==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010c97ce9f bp 0x7fff5343e7b0 sp 0x7fff5343e450 T0)
==65584==The signal is caused by a READ memory access.
==65584==Hint: address points to the zero page.
    #0 0x10c97ce9e in mrb_struct_to_h (mruby:x86_64+0x1001cde9e)
    #1 0x10c9202d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #2 0x10c915519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #3 0x10c90e1ce in mrb_run (mruby:x86_64+0x10015f1ce)
    #4 0x10c90bb54 in mrb_funcall_with_block (mruby:x86_64+0x10015cb54)
    #5 0x10c7eeba9 in mrb_instance_new (mruby:x86_64+0x10003fba9)
    #6 0x10c9202d4 in mrb_vm_exec (mruby:x86_64+0x1001712d4)
    #7 0x10c915519 in mrb_vm_run (mruby:x86_64+0x100166519)
    #8 0x10c947f89 in mrb_top_run (mruby:x86_64+0x100198f89)
    #9 0x10ca19ca5 in mrb_load_exec (mruby:x86_64+0x10026aca5)
    #10 0x10ca1a5f5 in mrb_load_file_cxt (mruby:x86_64+0x10026b5f5)
    #11 0x10c7b1906 in main mruby.c:227
    #12 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

==65584==Register values:
rax = 0x000060200001f018  rbx = 0x00007fff5343e540  rcx = 0x0000000000000166  rdx = 0x000000000000000f
rdi = 0x000061400000a440  rsi = 0x000062f000001f30  rbp = 0x00007fff5343e7b0  rsp = 0x00007fff5343e450
 r8 = 0x0000000000000004   r9 = 0x0000000000000000  r10 = 0x0000000000000080  r11 = 0xffffffffffffffc0
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffea688ab0  r14 = 0x00007fff5343e500  r15 = 0x00007fff5343e520
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby:x86_64+0x1001cde9e) in mrb_struct_to_h
==65584==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic).

@matz matz closed this in 17377af Apr 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment