New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_hash_dup #3609

Closed
clayton-shopify opened this Issue Apr 17, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 17, 2017

The following input demonstrates a crash:

class X < Hash
  def initialize
  end
end

X.new.dup

ASAN report:

==82906==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0001078722a7 bp 0x7fff58422590 sp 0x7fff58422080 T0)
==82906==The signal is caused by a READ memory access.
==82906==Hint: address points to the zero page.
    #0 0x1078722a6 in mrb_hash_dup hash.c:241
    #1 0x107944c24 in mrb_vm_exec vm.c:1276
    #2 0x107939dbf in mrb_vm_run vm.c:829
    #3 0x10796c8d9 in mrb_top_run vm.c:2655
    #4 0x107a3dc65 in mrb_load_exec parse.y:5780
    #5 0x107a3e5b5 in mrb_load_file_cxt parse.y:5789
    #6 0x1077d60e6 in main mruby.c:227
    #7 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

==82906==Register values:
rax = 0x0000000000000004  rbx = 0x00007fff58422180  rcx = 0x000060400001e9d0  rdx = 0x0000000000000004
rdi = 0x0000100000000000  rsi = 0x0000100000000000  rbp = 0x00007fff58422590  rsp = 0x00007fff58422080
 r8 = 0x00001c0800003d00   r9 = 0x0000100000000000  r10 = 0x0000000000000080  r11 = 0x0000000000000000
r12 = 0x00007fff58422140  r13 = 0x00007fff58422160  r14 = 0x00007fff58422100  r15 = 0x00007fff58422120
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV hash.c:241 in mrb_hash_dup
==82906==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz

@matz matz closed this in c396184 Apr 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment