New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in each_backtrace #3644

Closed
clayton-shopify opened this Issue Apr 27, 2017 · 0 comments

Comments

Projects
None yet
2 participants
@clayton-shopify
Contributor

clayton-shopify commented Apr 27, 2017

The following input demonstrates a crash:

GC.start

begin
  [0].all? do[].-
end

rescue => e
  GC.start
  e.dup.backtrace
end

ASAN report:

==90143==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x0001078ac6a0 bp 0x7fff5836ba50 sp 0x7fff5836b700 T0)
==90143==The signal is caused by a READ memory access.
==90143==Hint: address points to the zero page.
    #0 0x1078ac69f in each_backtrace backtrace.c:132
    #1 0x1078ab4ea in output_backtrace backtrace.c:182
    #2 0x1078a9324 in exc_output_backtrace backtrace.c:199
    #3 0x1078a9ca4 in mrb_exc_backtrace backtrace.c:303
    #4 0x1078fd45e in exc_get_backtrace (mruby:x86_64+0x10007345e)
    #5 0x1079fbca5 in mrb_vm_exec (mruby:x86_64+0x100171ca5)
    #6 0x1079f0dbf in mrb_vm_run (mruby:x86_64+0x100166dbf)
    #7 0x107a24619 in mrb_top_run (mruby:x86_64+0x10019a619)
    #8 0x107af5a85 in mrb_load_exec (mruby:x86_64+0x10026ba85)
    #9 0x107af63d5 in mrb_load_file_cxt (mruby:x86_64+0x10026c3d5)
    #10 0x10788c0d6 in main mruby.c:227
    #11 0x7fffbdf72234 in start (libdyld.dylib:x86_64+0x5234)

==90143==Register values:
rax = 0x0000000000000009  rbx = 0x00007fff5836b760  rcx = 0x0000000000000009  rdx = 0x0000100000000001
rdi = 0x0000000000000001  rsi = 0x0000100000000000  rbp = 0x00007fff5836ba50  rsp = 0x00007fff5836b700
 r8 = 0x0000000100000010   r9 = 0x0000100000000000  r10 = 0x0000000000000080  r11 = 0xffffe060a7c9f1e0
r12 = 0x0000100000000000  r13 = 0x000062f0000099d0  r14 = 0x000061400000a460  r15 = 0x00001c280000148c
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV backtrace.c:132 in each_backtrace
==90143==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic).

matz added a commit that referenced this issue May 23, 2017

Simplify backtrace mechanism; fix #3633 #3634 #3644
Instead of preserving a backtrace in `mrb_state`, `mrb_exc_set`
keeps packed backtrace in an exception object. `#backtrace` unpacks
it to an array of strings.

@matz matz closed this May 23, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment