Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap use-after-free in fiber_switch #3619

Closed
clayton-shopify opened this issue Apr 19, 2017 · 2 comments
Closed

Heap use-after-free in fiber_switch #3619

clayton-shopify opened this issue Apr 19, 2017 · 2 comments

Comments

@clayton-shopify
Copy link
Contributor

@clayton-shopify clayton-shopify commented Apr 19, 2017
edited

The following input demonstrates a crash:

f = Fiber.new do
  f = Fiber.new do
  end
end

f.resume
GC.start

f.resume

ASAN report:

==53995==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900000f080 at pc 0x0001092862f8 bp 0x7fff57562d10 sp 0x7fff575624c0
READ of size 16 at 0x61900000f080 thread T0
    #0 0x1092862f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x10889ba5a in fiber_switch fiber.c:198
    #2 0x10889e715 in fiber_resume fiber.c:244
    #3 0x108804f65 in mrb_vm_exec vm.c:1304
    #4 0x1087fa07f in mrb_vm_run vm.c:854
    #5 0x10882d649 in mrb_top_run vm.c:2705
    #6 0x1088fea85 in mrb_load_exec parse.y:5780
    #7 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
    #8 0x1086954c6 in main mruby.c:227
    #9 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x61900000f080 is located 0 bytes inside of 1024-byte region [0x61900000f080,0x61900000f480)
freed by thread T0 here:
    #0 0x10928f356 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56356)
    #1 0x10878dfeb in mrb_default_allocf state.c:56
    #2 0x108710499 in mrb_free gc.c:269
    #3 0x10878fe5c in mrb_free_context state.c:226
    #4 0x108711332 in obj_free gc.c:777
    #5 0x10871a59b in incremental_sweep_phase gc.c:1038
    #6 0x108718e3c in incremental_gc gc.c:1104
    #7 0x108714e06 in incremental_gc_until gc.c:1120
    #8 0x108715207 in clear_all_old gc.c:1146
    #9 0x10870f3d1 in mrb_full_gc gc.c:1212
    #10 0x1087167b3 in gc_start gc.c:1324
    #11 0x108804f65 in mrb_vm_exec vm.c:1304
    #12 0x1087fa07f in mrb_vm_run vm.c:854
    #13 0x10882d649 in mrb_top_run vm.c:2705
    #14 0x1088fea85 in mrb_load_exec parse.y:5780
    #15 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
    #16 0x1086954c6 in main mruby.c:227
    #17 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x10928f520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10878e005 in mrb_default_allocf state.c:60
    #2 0x10870f1b8 in mrb_realloc_simple gc.c:202
    #3 0x10870f89e in mrb_realloc gc.c:216
    #4 0x108710323 in mrb_malloc gc.c:237
    #5 0x10889d7d1 in fiber_init fiber.c:94
    #6 0x1087ef552 in mrb_funcall_with_block vm.c:445
    #7 0x1086d2769 in mrb_instance_new class.c:1430
    #8 0x108804f65 in mrb_vm_exec vm.c:1304
    #9 0x1087fa07f in mrb_vm_run vm.c:854
    #10 0x10882d649 in mrb_top_run vm.c:2705
    #11 0x1088fea85 in mrb_load_exec parse.y:5780
    #12 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
    #13 0x1086954c6 in main mruby.c:227
    #14 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3200001dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200001dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200001de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200001df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3200001e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c3200001e10:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200001e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200001e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200001e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200001e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200001e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==53995==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong
@clayton-shopify clayton-shopify changed the title Heap use Heap use-after-free in fiber_switch Apr 19, 2017
@clayton-shopify
Copy link
Contributor Author

@clayton-shopify clayton-shopify commented Apr 19, 2017

Sorry, I hit the submit button too soon. The description is updated with the full details now.

@clayton-shopify
Copy link
Contributor Author

@clayton-shopify clayton-shopify commented Apr 21, 2017

Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic) reported a similar case. Given the similar input, it's possible that the root cause is the same:

Fiber.new {
  Fiber.new {
    Fiber.new {}.resume
  }.resume while 1
}.resume

@matz matz closed this as completed in 15fba69 Apr 22, 2017
matz added a commit that referenced this issue Apr 22, 2017
@matz
Keep reference to mrb_context from env; fix #3619
5513fce
@clayton-shopify clayton-shopify mentioned this issue Oct 30, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@clayton-shopify