/mruby

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash in mrb_str_format #3665

Closed
clayton-shopify opened this Issue May 24, 2017 · 1 comment

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@clayton-shopify
@clayton-shopify
Contributor

clayton-shopify commented May 24, 2017
edited

When MRuby is built with MRB_INT64, the following input causes a crash:

sprintf "%*f",2147483648,Float::NAN

ASAN report:

==91193==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x1058aa5e3 in __asan_memset (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d5e3)
    #1 0x105648bd6 in mrb_str_format sprintf.c:1037
    #2 0x10563a9c1 in mrb_f_sprintf sprintf.c:516
    #3 0x105611393 in mrb_vm_exec vm.c:1314
    #4 0x10560659f in mrb_vm_run vm.c:860
    #5 0x105638a29 in mrb_top_run vm.c:2731
    #6 0x105707fb5 in mrb_load_exec parse.y:5780
    #7 0x1057088c5 in mrb_load_file_cxt parse.y:5789
    #8 0x1054abb07 in main mruby.c:227
    #9 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)

0x60c000013300 is located 0 bytes inside of 121-byte region [0x60c000013300,0x60c000013379)
allocated by thread T0 here:
    #0 0x1058b3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x10559c015 in mrb_default_allocf state.c:60
    #2 0x10551e5c8 in mrb_realloc_simple gc.c:203
    #3 0x10551ed1e in mrb_realloc gc.c:217
    #4 0x1055a2af8 in resize_capa string.c:140
    #5 0x1055a22e5 in mrb_str_resize string.c:738
    #6 0x10563bf7f in mrb_str_format sprintf.c:570
    #7 0x10563a9c1 in mrb_f_sprintf sprintf.c:516
    #8 0x105611393 in mrb_vm_exec vm.c:1314
    #9 0x10560659f in mrb_vm_run vm.c:860
    #10 0x105638a29 in mrb_top_run vm.c:2731
    #11 0x105707fb5 in mrb_load_exec parse.y:5780
    #12 0x1057088c5 in mrb_load_file_cxt parse.y:5789
    #13 0x1054abb07 in main mruby.c:227
    #14 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: negative-size-param (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d5e3) in __asan_memset
==91193==ABORTING
Abort trap: 6

This bug was reported by https://hackerone.com/shikchen, who offered the following explanation:

The bug is here:

mruby/mrbgems/mruby-sprintf/src/sprintf.c

Lines 1034 to 1035 in 9644ad5

if ((flags & FWIDTH) && need < width)
need = width; 

if ((flags & FWIDTH) && need < width)
  need = width;

The type of variable need is int, but the type of width is mrb_int, which is int64_t when compiling with MRB_INT64. During the comparison, need is promoted to int64_t. But it will overflow when begin assigned from width, and the following memset/memcpy will cause heap overflow.
@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify May 24, 2017

Contributor

Initially I wrote that this only affected mirb. That turned out to be incorrect; my mruby build was broken. After rebuilding it now crashes in both mruby and mirb.
Contributor

clayton-shopify commented May 24, 2017

Initially I wrote that this only affected mirb. That turned out to be incorrect; my mruby build was broken. After rebuilding it now crashes in both mruby and mirb.

@matz matz closed this in 3ef97e3 May 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment