==53995==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900000f080 at pc 0x0001092862f8 bp 0x7fff57562d10 sp 0x7fff575624c0
READ of size 16 at 0x61900000f080 thread T0
#0 0x1092862f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
#1 0x10889ba5a in fiber_switch fiber.c:198
#2 0x10889e715 in fiber_resume fiber.c:244
#3 0x108804f65 in mrb_vm_exec vm.c:1304
#4 0x1087fa07f in mrb_vm_run vm.c:854
#5 0x10882d649 in mrb_top_run vm.c:2705
#6 0x1088fea85 in mrb_load_exec parse.y:5780
#7 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
#8 0x1086954c6 in main mruby.c:227
#9 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)
0x61900000f080 is located 0 bytes inside of 1024-byte region [0x61900000f080,0x61900000f480)
freed by thread T0 here:
#0 0x10928f356 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56356)
#1 0x10878dfeb in mrb_default_allocf state.c:56
#2 0x108710499 in mrb_free gc.c:269
#3 0x10878fe5c in mrb_free_context state.c:226
#4 0x108711332 in obj_free gc.c:777
#5 0x10871a59b in incremental_sweep_phase gc.c:1038
#6 0x108718e3c in incremental_gc gc.c:1104
#7 0x108714e06 in incremental_gc_until gc.c:1120
#8 0x108715207 in clear_all_old gc.c:1146
#9 0x10870f3d1 in mrb_full_gc gc.c:1212
#10 0x1087167b3 in gc_start gc.c:1324
#11 0x108804f65 in mrb_vm_exec vm.c:1304
#12 0x1087fa07f in mrb_vm_run vm.c:854
#13 0x10882d649 in mrb_top_run vm.c:2705
#14 0x1088fea85 in mrb_load_exec parse.y:5780
#15 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
#16 0x1086954c6 in main mruby.c:227
#17 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)
previously allocated by thread T0 here:
#0 0x10928f520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
#1 0x10878e005 in mrb_default_allocf state.c:60
#2 0x10870f1b8 in mrb_realloc_simple gc.c:202
#3 0x10870f89e in mrb_realloc gc.c:216
#4 0x108710323 in mrb_malloc gc.c:237
#5 0x10889d7d1 in fiber_init fiber.c:94
#6 0x1087ef552 in mrb_funcall_with_block vm.c:445
#7 0x1086d2769 in mrb_instance_new class.c:1430
#8 0x108804f65 in mrb_vm_exec vm.c:1304
#9 0x1087fa07f in mrb_vm_run vm.c:854
#10 0x10882d649 in mrb_top_run vm.c:2705
#11 0x1088fea85 in mrb_load_exec parse.y:5780
#12 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
#13 0x1086954c6 in main mruby.c:227
#14 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c3200001dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200001dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200001de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200001df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200001e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c3200001e10:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200001e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200001e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200001e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200001e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200001e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==53995==ABORTING
Abort trap: 6
Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic) reported a similar case. Given the similar input, it's possible that the root cause is the same:
The following input demonstrates a crash:
ASAN report:
This issue was reported by https://hackerone.com/ssarong
The text was updated successfully, but these errors were encountered: