New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in ary_concat #3613

Closed
clayton-shopify opened this Issue Apr 17, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@clayton-shopify
Contributor

clayton-shopify commented Apr 17, 2017

The following input demonstrates a crash:

class CVAR1
def send(c, b, x)
super(*c)
super(*b)
end

end

mvarsend1 = def to_s
yield c==c
end

CVAR1.new.send(mvarsend1, 0, 0)

ASAN report:

==12212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f000000018 at pc 0x0001055ff712 bp 0x7fff5a5fd340 sp 0x7fff5a5fd338
READ of size 4 at 0x62f000000018 thread T0
    #0 0x1055ff711 in ary_concat array.c:265
    #1 0x1055ff5d4 in mrb_ary_concat array.c:284
    #2 0x105784e86 in mrb_vm_exec (mruby:x86_64+0x10018be86)
    #3 0x10575edbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #4 0x1057918d9 in mrb_top_run (mruby:x86_64+0x1001988d9)
    #5 0x105862c65 in mrb_load_exec (mruby:x86_64+0x100269c65)
    #6 0x1058635b5 in mrb_load_file_cxt (mruby:x86_64+0x10026a5b5)
    #7 0x1055fb0e6 in main mruby.c:227
    #8 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x62f000000018 is located 1000 bytes to the left of 49200-byte region [0x62f000000400,0x62f00000c430)
allocated by thread T0 here:
    #0 0x105a0a520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x1056f3a85 in mrb_default_allocf (mruby:x86_64+0x1000faa85)
    #2 0x105674d58 in mrb_realloc_simple gc.c:202
    #3 0x10567543e in mrb_realloc gc.c:216
    #4 0x105675ec3 in mrb_malloc gc.c:237
    #5 0x105675f5d in mrb_calloc gc.c:255
    #6 0x105676509 in add_heap gc.c:325
    #7 0x105676353 in mrb_gc_init gc.c:358
    #8 0x1056f38dc in mrb_open_core (mruby:x86_64+0x1000fa8dc)
    #9 0x1056f3bec in mrb_open_allocf (mruby:x86_64+0x1000fabec)
    #10 0x1056f3bb7 in mrb_open (mruby:x86_64+0x1000fabb7)
    #11 0x1055f9ff8 in main mruby.c:171
    #12 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow array.c:265 in ary_concat
Shadow bytes around the buggy address:
  0x1c5dffffffb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5dffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5dffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5dffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5dfffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c5e00000000: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00000010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12212==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz

@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Apr 18, 2017

Member

f6c70bc fixed this too.

Member

matz commented Apr 18, 2017

f6c70bc fixed this too.

@matz matz closed this Apr 18, 2017

matz added a commit that referenced this issue Apr 18, 2017

Changed evaluation order of `yield`; ref #3613
So that `yield expr_with_error` will cause the error from the
argument rather than `LocalJumpError` when no block is given.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment