Heap use-after-free in fiber_switch

[clayton-shopify]

The following input demonstrates a crash:

f = Fiber.new do
  f = Fiber.new do
  end
end

f.resume
GC.start

f.resume

ASAN report:

==53995==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900000f080 at pc 0x0001092862f8 bp 0x7fff57562d10 sp 0x7fff575624c0
READ of size 16 at 0x61900000f080 thread T0
    #0 0x1092862f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x10889ba5a in fiber_switch fiber.c:198
    #2 0x10889e715 in fiber_resume fiber.c:244
    #3 0x108804f65 in mrb_vm_exec vm.c:1304
    #4 0x1087fa07f in mrb_vm_run vm.c:854
    #5 0x10882d649 in mrb_top_run vm.c:2705
    #6 0x1088fea85 in mrb_load_exec parse.y:5780
    #7 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
    #8 0x1086954c6 in main mruby.c:227
    #9 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x61900000f080 is located 0 bytes inside of 1024-byte region [0x61900000f080,0x61900000f480)
freed by thread T0 here:
    #0 0x10928f356 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56356)
    #1 0x10878dfeb in mrb_default_allocf state.c:56
    #2 0x108710499 in mrb_free gc.c:269
    #3 0x10878fe5c in mrb_free_context state.c:226
    #4 0x108711332 in obj_free gc.c:777
    #5 0x10871a59b in incremental_sweep_phase gc.c:1038
    #6 0x108718e3c in incremental_gc gc.c:1104
    #7 0x108714e06 in incremental_gc_until gc.c:1120
    #8 0x108715207 in clear_all_old gc.c:1146
    #9 0x10870f3d1 in mrb_full_gc gc.c:1212
    #10 0x1087167b3 in gc_start gc.c:1324
    #11 0x108804f65 in mrb_vm_exec vm.c:1304
    #12 0x1087fa07f in mrb_vm_run vm.c:854
    #13 0x10882d649 in mrb_top_run vm.c:2705
    #14 0x1088fea85 in mrb_load_exec parse.y:5780
    #15 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
    #16 0x1086954c6 in main mruby.c:227
    #17 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x10928f520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10878e005 in mrb_default_allocf state.c:60
    #2 0x10870f1b8 in mrb_realloc_simple gc.c:202
    #3 0x10870f89e in mrb_realloc gc.c:216
    #4 0x108710323 in mrb_malloc gc.c:237
    #5 0x10889d7d1 in fiber_init fiber.c:94
    #6 0x1087ef552 in mrb_funcall_with_block vm.c:445
    #7 0x1086d2769 in mrb_instance_new class.c:1430
    #8 0x108804f65 in mrb_vm_exec vm.c:1304
    #9 0x1087fa07f in mrb_vm_run vm.c:854
    #10 0x10882d649 in mrb_top_run vm.c:2705
    #11 0x1088fea85 in mrb_load_exec parse.y:5780
    #12 0x1088ff3d5 in mrb_load_file_cxt parse.y:5789
    #13 0x1086954c6 in main mruby.c:227
    #14 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3200001dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200001dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200001de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c3200001df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3200001e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c3200001e10:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200001e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200001e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200001e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200001e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3200001e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==53995==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

[clayton-shopify]

Sorry, I hit the submit button too soon. The description is updated with the full details now.

[clayton-shopify]

Sorry, I hit the submit button too soon. The description is updated with the full details now.

[clayton-shopify]

Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic) reported a similar case. Given the similar input, it's possible that the root cause is the same:

Fiber.new {
  Fiber.new {
    Fiber.new {}.resume
  }.resume while 1
}.resume

[clayton-shopify]

Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic) reported a similar case. Given the similar input, it's possible that the root cause is the same:

Fiber.new {
  Fiber.new {
    Fiber.new {}.resume
  }.resume while 1
}.resume