New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free in mrb_ary_ref #3650

Closed
clayton-shopify opened this Issue May 9, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 9, 2017

The following input demonstrates a crash:

f = Fiber.new do
1000.times { [0].zip [0] }
end
f = f.resume

I did a bisect, and it appears the problem was introduced in 01f7825.

ASAN report:

==67358==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000012a40 at pc 0x00010ece62f8 bp 0x7fff513176f0 sp 0x7fff51316ea0
READ of size 16 at 0x606000012a40 thread T0
    #0 0x10ece62f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x10e8debe4 in mrb_ary_ref array.c:557
    #2 0x10e8e8918 in mrb_ary_aget array.c:758
    #3 0x10ea4756f in mrb_vm_exec (mruby:x86_64+0x10017256f)
    #4 0x10ea3c42f in mrb_vm_run (mruby:x86_64+0x10016742f)
    #5 0x10ea3437e in mrb_run (mruby:x86_64+0x10015f37e)
    #6 0x10ea31d04 in mrb_funcall_with_block (mruby:x86_64+0x10015cd04)
    #7 0x10ea2e8d7 in mrb_funcall_argv (mruby:x86_64+0x1001598d7)
    #8 0x10e97f102 in mrb_method_missing (mruby:x86_64+0x1000aa102)
    #9 0x10ea46564 in mrb_vm_exec (mruby:x86_64+0x100171564)
    #10 0x10ea3c42f in mrb_vm_run (mruby:x86_64+0x10016742f)
    #11 0x10ea700a9 in mrb_top_run (mruby:x86_64+0x10019b0a9)
    #12 0x10eb41bb5 in mrb_load_exec (mruby:x86_64+0x10026cbb5)
    #13 0x10eb42505 in mrb_load_file_cxt (mruby:x86_64+0x10026d505)
    #14 0x10e8d70c6 in main mruby.c:227
    #15 0x7fffbdf72234 in start (libdyld.dylib:x86_64+0x5234)

0x606000012a40 is located 0 bytes inside of 64-byte region [0x606000012a40,0x606000012a80)
freed by thread T0 here:
    #0 0x10ecef356 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56356)
    #1 0x10e9d022b in mrb_default_allocf (mruby:x86_64+0x1000fb22b)
    #2 0x10e951da9 in mrb_free gc.c:270
    #3 0x10e952d7a in obj_free gc.c:790
    #4 0x10e95c57b in incremental_sweep_phase gc.c:1039
    #5 0x10e95af3c in incremental_gc gc.c:1105
    #6 0x10e956796 in incremental_gc_until gc.c:1121
    #7 0x10e955a94 in mrb_incremental_gc gc.c:1172
    #8 0x10e9553a8 in mrb_obj_alloc gc.c:509
    #9 0x10e9bf523 in mrb_proc_new (mruby:x86_64+0x1000ea523)
    #10 0x10e9bf80c in mrb_closure_new (mruby:x86_64+0x1000ea80c)
    #11 0x10ea668ad in mrb_vm_exec (mruby:x86_64+0x1001918ad)
    #12 0x10ea3c42f in mrb_vm_run (mruby:x86_64+0x10016742f)
    #13 0x10ea700a9 in mrb_top_run (mruby:x86_64+0x10019b0a9)
    #14 0x10eb41bb5 in mrb_load_exec (mruby:x86_64+0x10026cbb5)
    #15 0x10eb42505 in mrb_load_file_cxt (mruby:x86_64+0x10026d505)
    #16 0x10e8d70c6 in main mruby.c:227
    #17 0x7fffbdf72234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x10ecef520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10e9d0245 in mrb_default_allocf (mruby:x86_64+0x1000fb245)
    #2 0x10e950a58 in mrb_realloc_simple gc.c:203
    #3 0x10e9511ae in mrb_realloc gc.c:217
    #4 0x10e8dafd2 in ary_expand_capa array.c:193
    #5 0x10e8dc49b in mrb_ary_push array.c:424
    #6 0x10e8e7f88 in mrb_ary_push_m array.c:437
    #7 0x10ea4756f in mrb_vm_exec (mruby:x86_64+0x10017256f)
    #8 0x10ea3c42f in mrb_vm_run (mruby:x86_64+0x10016742f)
    #9 0x10ea700a9 in mrb_top_run (mruby:x86_64+0x10019b0a9)
    #10 0x10eb41bb5 in mrb_load_exec (mruby:x86_64+0x10026cbb5)
    #11 0x10eb42505 in mrb_load_file_cxt (mruby:x86_64+0x10026d505)
    #12 0x10e8d70c6 in main mruby.c:227
    #13 0x7fffbdf72234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c0c000024f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00002500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00002510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00002520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00002530: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x1c0c00002540: 00 00 00 00 fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x1c0c00002550: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x1c0c00002560: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x1c0c00002570: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c0c00002580: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x1c0c00002590: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==67358==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@matz matz closed this in f75f506 May 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment