New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in OP_GETCONST #3611

Closed
clayton-shopify opened this Issue Apr 17, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 17, 2017

The following input demonstrates a crash:

class CVAR1
def send(*)
super
begin
mvar1
mvar1
rescue => c
ensure
end
end
end

def mvar1(*)
end

mvarsend1 = def remove_const
super(*b)
end

CVAR1.new.send(mvarsend1)

ASAN report:

==10366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001eef4 at pc 0x0001033bc02c bp 0x7fff5c9a45b0 sp 0x7fff5c9a45a8
READ of size 4 at 0x60200001eef4 thread T0
    #0 0x1033bc02b in mrb_vm_exec vm.c:996
    #1 0x1033b7dbf in mrb_vm_run vm.c:829
    #2 0x1033ea8d9 in mrb_top_run vm.c:2655
    #3 0x1034bbc65 in mrb_load_exec parse.y:5780
    #4 0x1034bc5b5 in mrb_load_file_cxt parse.y:5789
    #5 0x1032540e6 in main mruby.c:227
    #6 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x60200001eef4 is located 0 bytes to the right of 4-byte region [0x60200001eef0,0x60200001eef4)
allocated by thread T0 here:
    #0 0x103662520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10334ca85 in mrb_default_allocf state.c:60
    #2 0x1032cdd58 in mrb_realloc_simple gc.c:202
    #3 0x10347ce45 in codegen_realloc codegen.c:132
    #4 0x10348d4ec in scope_finish codegen.c:2868
    #5 0x10348396e in lambda_body codegen.c:725
    #6 0x10347bb6b in codegen codegen.c:2712
    #7 0x10346c766 in codegen codegen.c:1688
    #8 0x103467381 in codegen codegen.c:1271
    #9 0x10347f796 in scope_body codegen.c:737
    #10 0x10346b1f3 in codegen codegen.c:1579
    #11 0x103464941 in mrb_generate_code codegen.c:2979
    #12 0x1034bb0e0 in mrb_load_exec parse.y:5757
    #13 0x1034bc5b5 in mrb_load_file_cxt parse.y:5789
    #14 0x1032540e6 in main mruby.c:227
    #15 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow vm.c:996 in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c0400003d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003dc0: fa fa 00 00 fa fa 00 00 fa fa 02 fa fa fa 00 fa
=>0x1c0400003dd0: fa fa 02 fa fa fa 00 00 fa fa 00 fa fa fa[04]fa
  0x1c0400003de0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa fd fd
  0x1c0400003df0: fa fa 02 fa fa fa 06 fa fa fa 00 fa fa fa 06 fa
  0x1c0400003e00: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa fd fd
  0x1c0400003e10: fa fa 02 fa fa fa 00 02 fa fa 00 fa fa fa 00 fa
  0x1c0400003e20: fa fa 04 fa fa fa 00 02 fa fa 02 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10366==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz

@matz matz closed this in f6c70bc Apr 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment