New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_ary_to_h #3621

Closed
clayton-shopify opened this Issue Apr 19, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 19, 2017

The following input demonstrates a crash:

ObjectSpace.each_object{|obj| obj[] rescue 0}

ASAN report:

==22310==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001068785f7 bp 0x7fff5955d3f0 sp 0x7fff5955ce20 T0)
==22310==The signal is caused by a READ memory access.
==22310==Hint: address points to the zero page.
    #0 0x1068785f6 in mrb_ary_to_h (mruby:x86_64+0x1001e85f6)
    #1 0x1068037ea in mrb_vm_exec vm.c:1374
    #2 0x1067f707f in mrb_vm_run vm.c:854
    #3 0x1067eefce in mrb_run vm.c:2694
    #4 0x1067f5176 in mrb_yield_with_class vm.c:708
    #5 0x1067f5e58 in mrb_yield vm.c:728
    #6 0x1068972f0 in os_each_object_cb mruby_objectspace.c:139
    #7 0x106713458 in gc_each_objects gc.c:1501
    #8 0x1067133aa in mrb_objspace_each_objects gc.c:1511
    #9 0x1068960c6 in os_each_object mruby_objectspace.c:170
    #10 0x106801f65 in mrb_vm_exec vm.c:1304
    #11 0x1067f707f in mrb_vm_run vm.c:854
    #12 0x10682a649 in mrb_top_run vm.c:2705
    #13 0x1068fba85 in mrb_load_exec parse.y:5780
    #14 0x1068fc3d5 in mrb_load_file_cxt parse.y:5789
    #15 0x1066924c6 in main mruby.c:227
    #16 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

==22310==Register values:
rax = 0x0000000000000000  rbx = 0x00007fff5955cfa0  rcx = 0x000062f000001688  rdx = 0x0000100000000000
rdi = 0x000061400000a440  rsi = 0x0000100000000000  rbp = 0x00007fff5955d3f0  rsp = 0x00007fff5955ce20
 r8 = 0x00007fff0000000f   r9 = 0x0000100000000000  r10 = 0x0000000000000080  r11 = 0xffffffffffffffe0
r12 = 0x00007fff5955cee0  r13 = 0x00007fff5955cf00  r14 = 0x00007fff5955cea0  r15 = 0x00007fff5955cec0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby:x86_64+0x1001e85f6) in mrb_ary_to_h
==22310==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic).

@matz matz closed this in abed375 May 29, 2017

matz added a commit that referenced this issue May 29, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment