New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in OP_SEND #3622

Closed
clayton-shopify opened this Issue Apr 19, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 19, 2017

The following input demonstrates a crash:

g=0.times.p{}
a %w{0 0 0 0 0 0 0 0 0 0
0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 { 0 0 0 0 0 0 0 0 0 0
0 { 0 }
0 0 0
0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 } 0}.(&:e)

ASAN report:

==26891==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00001d6c0 at pc 0x00010248f4ca bp 0x7fff5db743f0 sp 0x7fff5db73ba0
WRITE of size 16 at 0x61d00001d6c0 thread T0
    #0 0x10248f4c9 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9)
    #1 0x1021f284a in mrb_vm_exec vm.c:1247
    #2 0x1021e907f in mrb_vm_run vm.c:854
    #3 0x10221c649 in mrb_top_run vm.c:2705
    #4 0x1022eda85 in mrb_load_exec parse.y:5780
    #5 0x1022ee3d5 in mrb_load_file_cxt parse.y:5789
    #6 0x1020844c6 in main mruby.c:227
    #7 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x61d00001d6c0 is located 64 bytes inside of 2048-byte region [0x61d00001d680,0x61d00001de80)
freed by thread T0 here:
    #0 0x102498520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10217d005 in mrb_default_allocf state.c:60
    #2 0x1020fe1b8 in mrb_realloc_simple gc.c:202
    #3 0x1020fe89e in mrb_realloc gc.c:216
    #4 0x10221d0cf in stack_extend_alloc vm.c:162
    #5 0x1021e02cf in stack_extend vm.c:183
    #6 0x1021ddfa3 in mrb_funcall_with_block vm.c:430
    #7 0x1021db527 in mrb_funcall_argv vm.c:462
    #8 0x1021604be in convert_type object.c:320
    #9 0x102160cbb in mrb_convert_type object.c:342
    #10 0x1021f274b in mrb_vm_exec vm.c:1247
    #11 0x1021e907f in mrb_vm_run vm.c:854
    #12 0x10221c649 in mrb_top_run vm.c:2705
    #13 0x1022eda85 in mrb_load_exec parse.y:5780
    #14 0x1022ee3d5 in mrb_load_file_cxt parse.y:5789
    #15 0x1020844c6 in main mruby.c:227
    #16 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x102498520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10217d005 in mrb_default_allocf state.c:60
    #2 0x1020fe1b8 in mrb_realloc_simple gc.c:202
    #3 0x1020fe89e in mrb_realloc gc.c:216
    #4 0x1020ff323 in mrb_malloc gc.c:237
    #5 0x1020ff3bd in mrb_calloc gc.c:255
    #6 0x1021df242 in stack_init vm.c:105
    #7 0x1021dc400 in mrb_funcall_with_block vm.c:383
    #8 0x1021dbd3a in mrb_funcall_with_block vm.c:361
    #9 0x1021db527 in mrb_funcall_argv vm.c:462
    #10 0x1020c2575 in mrb_obj_new class.c:1444
    #11 0x1020e715d in mrb_exc_new_str error.c:32
    #12 0x1020f0f37 in mrb_init_exception error.c:553
    #13 0x102121fc0 in mrb_init_core init.c:41
    #14 0x10217cf9e in mrb_open_core state.c:47
    #15 0x10217d16c in mrb_open_allocf state.c:107
    #16 0x10217d137 in mrb_open state.c:99
    #17 0x1020833d8 in main mruby.c:171
    #18 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c3a00003a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003ab0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c3a00003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c3a00003ad0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x1c3a00003ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003af0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c3a00003b20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26891==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ilsani

@matz matz closed this in 94bcdca Apr 21, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment