Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in each_backtrace #3644

Closed
clayton-shopify opened this issue Apr 27, 2017 · 0 comments
Closed

Null pointer dereference in each_backtrace #3644

clayton-shopify opened this issue Apr 27, 2017 · 0 comments

Comments

@clayton-shopify
Copy link
Contributor

@clayton-shopify clayton-shopify commented Apr 27, 2017

The following input demonstrates a crash:

GC.start

begin
  [0].all? do[].-
end

rescue => e
  GC.start
  e.dup.backtrace
end

ASAN report:

==90143==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x0001078ac6a0 bp 0x7fff5836ba50 sp 0x7fff5836b700 T0)
==90143==The signal is caused by a READ memory access.
==90143==Hint: address points to the zero page.
    #0 0x1078ac69f in each_backtrace backtrace.c:132
    #1 0x1078ab4ea in output_backtrace backtrace.c:182
    #2 0x1078a9324 in exc_output_backtrace backtrace.c:199
    #3 0x1078a9ca4 in mrb_exc_backtrace backtrace.c:303
    #4 0x1078fd45e in exc_get_backtrace (mruby:x86_64+0x10007345e)
    #5 0x1079fbca5 in mrb_vm_exec (mruby:x86_64+0x100171ca5)
    #6 0x1079f0dbf in mrb_vm_run (mruby:x86_64+0x100166dbf)
    #7 0x107a24619 in mrb_top_run (mruby:x86_64+0x10019a619)
    #8 0x107af5a85 in mrb_load_exec (mruby:x86_64+0x10026ba85)
    #9 0x107af63d5 in mrb_load_file_cxt (mruby:x86_64+0x10026c3d5)
    #10 0x10788c0d6 in main mruby.c:227
    #11 0x7fffbdf72234 in start (libdyld.dylib:x86_64+0x5234)

==90143==Register values:
rax = 0x0000000000000009  rbx = 0x00007fff5836b760  rcx = 0x0000000000000009  rdx = 0x0000100000000001
rdi = 0x0000000000000001  rsi = 0x0000100000000000  rbp = 0x00007fff5836ba50  rsp = 0x00007fff5836b700
 r8 = 0x0000000100000010   r9 = 0x0000100000000000  r10 = 0x0000000000000080  r11 = 0xffffe060a7c9f1e0
r12 = 0x0000100000000000  r13 = 0x000062f0000099d0  r14 = 0x000061400000a460  r15 = 0x00001c280000148c
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV backtrace.c:132 in each_backtrace
==90143==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic).

matz added a commit that referenced this issue May 23, 2017
Instead of preserving a backtrace in `mrb_state`, `mrb_exc_set`
keeps packed backtrace in an exception object. `#backtrace` unpacks
it to an array of strings.
@matz matz closed this as completed May 23, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants