New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in OP_ARGARY #3610

Closed
clayton-shopify opened this Issue Apr 17, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@clayton-shopify
Contributor

clayton-shopify commented Apr 17, 2017

The following input demonstrates a crash:

module A module A
ensure
  module A module A module A module A
  ensure
    module A module A module A module A module A module A
      a
    ensure
      module A
        super
      end
    end end end end end end
  end end end end
end end

This is the same input as #3501 except with super instead of yield.

ASAN report:

==87234==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001e060 at pc 0x0001082462f8 bp 0x7fff57d9f9f0 sp 0x7fff57d9f1a0
READ of size 16 at 0x60200001e060 thread T0
    #0 0x1082462f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x107fb543e in mrb_vm_exec vm.c:1556
    #2 0x107fa3dbf in mrb_vm_run vm.c:829
    #3 0x107f9ca4e in mrb_run vm.c:2644
    #4 0x107fd3d1e in ecall vm.c:320
    #5 0x107fb8828 in mrb_vm_exec vm.c:1716
    #6 0x107fa3dbf in mrb_vm_run vm.c:829
    #7 0x107f9ca4e in mrb_run vm.c:2644
    #8 0x107fd3d1e in ecall vm.c:320
    #9 0x107fac4a6 in mrb_vm_exec vm.c:1170
    #10 0x107fa3dbf in mrb_vm_run vm.c:829
    #11 0x107f9ca4e in mrb_run vm.c:2644
    #12 0x107fd3d1e in ecall vm.c:320
    #13 0x107fac4a6 in mrb_vm_exec vm.c:1170
    #14 0x107fa3dbf in mrb_vm_run vm.c:829
    #15 0x107fd68d9 in mrb_top_run vm.c:2655
    #16 0x1080a7c65 in mrb_load_exec parse.y:5780
    #17 0x1080a85b5 in mrb_load_file_cxt parse.y:5789
    #18 0x107e400e6 in main mruby.c:227
    #19 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x60200001e060 is located 0 bytes to the right of 16-byte region [0x60200001e050,0x60200001e060)
allocated by thread T0 here:
    #0 0x10824f520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x107f38a85 in mrb_default_allocf state.c:60
    #2 0x107eb9d58 in mrb_realloc_simple gc.c:202
    #3 0x107eba43e in mrb_realloc gc.c:216
    #4 0x107ebaec3 in mrb_malloc gc.c:237
    #5 0x107f95fd2 in mrb_env_unshare vm.c:260
    #6 0x107f9a792 in cipop vm.c:285
    #7 0x107fb7f10 in mrb_vm_exec vm.c:1689
    #8 0x107fa3dbf in mrb_vm_run vm.c:829
    #9 0x107f9ca4e in mrb_run vm.c:2644
    #10 0x107fd3d1e in ecall vm.c:320
    #11 0x107fac4a6 in mrb_vm_exec vm.c:1170
    #12 0x107fa3dbf in mrb_vm_run vm.c:829
    #13 0x107f9ca4e in mrb_run vm.c:2644
    #14 0x107fd3d1e in ecall vm.c:320
    #15 0x107fac4a6 in mrb_vm_exec vm.c:1170
    #16 0x107fa3dbf in mrb_vm_run vm.c:829
    #17 0x107fd68d9 in mrb_top_run vm.c:2655
    #18 0x1080a7c65 in mrb_load_exec parse.y:5780
    #19 0x1080a85b5 in mrb_load_file_cxt parse.y:5789
    #20 0x107e400e6 in main mruby.c:227
    #21 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c0400003bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0400003c00: fa fa fa fa fa fa fa fa fa fa 00 00[fa]fa 00 06
  0x1c0400003c10: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 04 fa
  0x1c0400003c20: fa fa 00 fa fa fa 00 00 fa fa 00 06 fa fa 00 fa
  0x1c0400003c30: fa fa 00 fa fa fa 00 fa fa fa 04 fa fa fa 00 fa
  0x1c0400003c40: fa fa 00 00 fa fa 00 06 fa fa 00 fa fa fa 00 fa
  0x1c0400003c50: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 06
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==87234==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/geeknik

@matz matz closed this in 82ab461 Apr 18, 2017

matz added a commit that referenced this issue Apr 18, 2017

Call exc_debug_info() in mrb_exc_set(); ref #3610
Otherwise line number information is lacked from exceptions
raised in VM, e.g. "super called outside of method".
@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Apr 18, 2017

Contributor

@matz It looks like the fix is incomplete, because the original input is still causing a crash.

Contributor

clayton-shopify commented Apr 18, 2017

@matz It looks like the fix is incomplete, because the original input is still causing a crash.

@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Apr 18, 2017

Contributor

Debug:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = Heap buffer overflow
  * frame #0: 0x00000001004a3940 libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie()
    frame #1: 0x00000001004ba248 libclang_rt.asan_osx_dynamic.dylib`__sanitizer::Die() + 88
    frame #2: 0x00000001004a1207 libclang_rt.asan_osx_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 311
    frame #3: 0x00000001004a0c9a libclang_rt.asan_osx_dynamic.dylib`__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 410
    frame #4: 0x0000000100493322 libclang_rt.asan_osx_dynamic.dylib`__asan_memcpy + 898
    frame #5: 0x0000000100178402 mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000001450, pc=0x000060200001ee70) at vm.c:1575
    frame #6: 0x00000001001667a0 mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000001450, self=mrb_value @ 0x00007fff5fbe52e0, stack_keep=2) at vm.c:829
    frame #7: 0x000000010015f42f mruby`mrb_run(mrb=0x000061400000a440, proc=0x000062f000001450, self=mrb_value @ 0x00007fff5fbe5560) at vm.c:2663
    frame #8: 0x0000000100196cff mruby`ecall(mrb=0x000061400000a440, i=0) at vm.c:320
    frame #9: 0x000000010017b7ec mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000001db0, pc=0x000060300000b0b8) at vm.c:1735
    frame #10: 0x00000001001667a0 mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000001db0, self=mrb_value @ 0x00007fff5fbed780, stack_keep=2) at vm.c:829
    frame #11: 0x000000010015f42f mruby`mrb_run(mrb=0x000061400000a440, proc=0x000062f000001db0, self=mrb_value @ 0x00007fff5fbeda00) at vm.c:2663
    frame #12: 0x0000000100196cff mruby`ecall(mrb=0x000061400000a440, i=0) at vm.c:320
    frame #13: 0x000000010016ee9b mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000002050, pc=0x000060200001e6f8) at vm.c:1173
    frame #14: 0x00000001001667a0 mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000002050, self=mrb_value @ 0x00007fff5fbf5c20, stack_keep=2) at vm.c:829
    frame #15: 0x000000010015f42f mruby`mrb_run(mrb=0x000061400000a440, proc=0x000062f000002050, self=mrb_value @ 0x00007fff5fbf5ea0) at vm.c:2663
    frame #16: 0x0000000100196cff mruby`ecall(mrb=0x000061400000a440, i=0) at vm.c:320
    frame #17: 0x000000010016ee9b mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000002170, pc=0x000060200001e2b8) at vm.c:1173
    frame #18: 0x00000001001667a0 mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000002170, self=mrb_value @ 0x00007fff5fbfe0c0, stack_keep=2) at vm.c:829
    frame #19: 0x00000001001998ba mruby`mrb_top_run(mrb=0x000061400000a440, proc=0x000062f000002170, self=mrb_value @ 0x00007fff5fbfe340, stack_keep=0) at vm.c:2674
    frame #20: 0x000000010026aba6 mruby`mrb_load_exec(mrb=0x000061400000a440, p=0x000062800000c120, c=0x000060600000a040) at parse.y:5780
    frame #21: 0x000000010026b4f6 mruby`mrb_load_file_cxt(mrb=0x000061400000a440, f=0x00007fffc4ab40b0, c=0x000060600000a040) at parse.y:5789
    frame #22: 0x00000001000029e7 mruby`main(argc=2, argv=0x00007fff5fbff500) at mruby.c:227
    frame #23: 0x00007fffbbbba235 libdyld.dylib`start + 1

(lldb) frame select 5
frame #5: 0x0000000100178402 mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000001450, pc=0x000060200001ee70) at vm.c:1575
   1572	        }
   1573	        rest->len = m1+len+m2;
   1574	      }
-> 1575	      regs[a+1] = stack[m1+r+m2];
   1576	      ARENA_RESTORE(mrb, ai);
   1577	      NEXT;
   1578	    }
Contributor

clayton-shopify commented Apr 18, 2017

Debug:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = Heap buffer overflow
  * frame #0: 0x00000001004a3940 libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie()
    frame #1: 0x00000001004ba248 libclang_rt.asan_osx_dynamic.dylib`__sanitizer::Die() + 88
    frame #2: 0x00000001004a1207 libclang_rt.asan_osx_dynamic.dylib`__asan::ScopedInErrorReport::~ScopedInErrorReport() + 311
    frame #3: 0x00000001004a0c9a libclang_rt.asan_osx_dynamic.dylib`__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 410
    frame #4: 0x0000000100493322 libclang_rt.asan_osx_dynamic.dylib`__asan_memcpy + 898
    frame #5: 0x0000000100178402 mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000001450, pc=0x000060200001ee70) at vm.c:1575
    frame #6: 0x00000001001667a0 mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000001450, self=mrb_value @ 0x00007fff5fbe52e0, stack_keep=2) at vm.c:829
    frame #7: 0x000000010015f42f mruby`mrb_run(mrb=0x000061400000a440, proc=0x000062f000001450, self=mrb_value @ 0x00007fff5fbe5560) at vm.c:2663
    frame #8: 0x0000000100196cff mruby`ecall(mrb=0x000061400000a440, i=0) at vm.c:320
    frame #9: 0x000000010017b7ec mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000001db0, pc=0x000060300000b0b8) at vm.c:1735
    frame #10: 0x00000001001667a0 mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000001db0, self=mrb_value @ 0x00007fff5fbed780, stack_keep=2) at vm.c:829
    frame #11: 0x000000010015f42f mruby`mrb_run(mrb=0x000061400000a440, proc=0x000062f000001db0, self=mrb_value @ 0x00007fff5fbeda00) at vm.c:2663
    frame #12: 0x0000000100196cff mruby`ecall(mrb=0x000061400000a440, i=0) at vm.c:320
    frame #13: 0x000000010016ee9b mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000002050, pc=0x000060200001e6f8) at vm.c:1173
    frame #14: 0x00000001001667a0 mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000002050, self=mrb_value @ 0x00007fff5fbf5c20, stack_keep=2) at vm.c:829
    frame #15: 0x000000010015f42f mruby`mrb_run(mrb=0x000061400000a440, proc=0x000062f000002050, self=mrb_value @ 0x00007fff5fbf5ea0) at vm.c:2663
    frame #16: 0x0000000100196cff mruby`ecall(mrb=0x000061400000a440, i=0) at vm.c:320
    frame #17: 0x000000010016ee9b mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000002170, pc=0x000060200001e2b8) at vm.c:1173
    frame #18: 0x00000001001667a0 mruby`mrb_vm_run(mrb=0x000061400000a440, proc=0x000062f000002170, self=mrb_value @ 0x00007fff5fbfe0c0, stack_keep=2) at vm.c:829
    frame #19: 0x00000001001998ba mruby`mrb_top_run(mrb=0x000061400000a440, proc=0x000062f000002170, self=mrb_value @ 0x00007fff5fbfe340, stack_keep=0) at vm.c:2674
    frame #20: 0x000000010026aba6 mruby`mrb_load_exec(mrb=0x000061400000a440, p=0x000062800000c120, c=0x000060600000a040) at parse.y:5780
    frame #21: 0x000000010026b4f6 mruby`mrb_load_file_cxt(mrb=0x000061400000a440, f=0x00007fffc4ab40b0, c=0x000060600000a040) at parse.y:5789
    frame #22: 0x00000001000029e7 mruby`main(argc=2, argv=0x00007fff5fbff500) at mruby.c:227
    frame #23: 0x00007fffbbbba235 libdyld.dylib`start + 1

(lldb) frame select 5
frame #5: 0x0000000100178402 mruby`mrb_vm_exec(mrb=0x000061400000a440, proc=0x000062f000001450, pc=0x000060200001ee70) at vm.c:1575
   1572	        }
   1573	        rest->len = m1+len+m2;
   1574	      }
-> 1575	      regs[a+1] = stack[m1+r+m2];
   1576	      ARENA_RESTORE(mrb, ai);
   1577	      NEXT;
   1578	    }

@matz matz reopened this Apr 18, 2017

@matz matz closed this in 283d145 Apr 19, 2017

@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Apr 19, 2017

Member

Sorry, I made a mistake.

Member

matz commented Apr 19, 2017

Sorry, I made a mistake.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment