New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in ecall #3662

Closed
clayton-shopify opened this Issue May 23, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 23, 2017

The following input demonstrates a crash:

Fiber.new{
    begin
    break""ensure""end}.resume

ASAN report:

==70335==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010b623cba bp 0x7fff547653f0 sp 0x7fff54765020 T0)
==70335==The signal is caused by a READ memory access.
==70335==Hint: address points to the zero page.
    #0 0x10b623cb9 in ecall vm.c:309
    #1 0x10b60b637 in mrb_vm_exec vm.c:1891
    #2 0x10b5f3c8f in mrb_vm_run vm.c:860
    #3 0x10b6270e9 in mrb_top_run vm.c:2731
    #4 0x10b6f9035 in mrb_load_exec parse.y:5780
    #5 0x10b6f9985 in mrb_load_file_cxt parse.y:5789
    #6 0x10b4935f6 in main mruby.c:227
    #7 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)

==70335==Register values:
rax = 0x0000000000000000  rbx = 0x00007fff54765080  rcx = 0x000060b00000aa58  rdx = 0x0000100000000000
rdi = 0x0000000000000050  rsi = 0x0000100000000000  rbp = 0x00007fff547653f0  rsp = 0x00007fff54765020
 r8 = 0x00007fff54765060   r9 = 0x0000000000000000  r10 = 0x00001c280000148c  r11 = 0x0000100000000000
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffea8ed86c  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vm.c:309 in ecall
==70335==ABORTING
Abort trap: 6

Debug:

(lldb) process launch -- poc/229739.rb                                                                                                  Process 70360 launched: '/Users/clayton/git/mruby/bin/mruby' (x86_64)
Process 70360 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000100192cba mruby`ecall(mrb=0x000061400000a440, i=0) at vm.c:309
   306 	  if (ci - mrb->c->cibase > MRB_FUNCALL_DEPTH_MAX) {
   307 	    mrb_exc_raise(mrb, mrb_obj_value(mrb->stack_err));
   308 	  }
-> 309 	  p = mrb->c->ensure[i];
   310 	  if (!p) return;
   311 	  mrb->c->ensure[i] = NULL;
   312 	  if (ci->eidx > i)

(lldb) print mrb->c->ensure
(RProc **) $0 = 0x0000000000000000

This issue was reported by https://hackerone.com/mg36

@matz matz closed this in 517cd51 May 25, 2017

matz added a commit that referenced this issue May 26, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment