New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in ecall #3666

Closed
clayton-shopify opened this Issue May 25, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 25, 2017

The following input demonstrates a crash:

Fiber.new {
    begin
        next
        ensure -> {}
    end
}.resume

This appears to be closely related to #3662.

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==17700==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010793e8ea bp 0x7fff5844b1d0 sp 0x7fff5844ae20 T0)
==17700==The signal is caused by a READ memory access.
==17700==Hint: address points to the zero page.
    #0 0x10793e8e9 in ecall vm.c:310
    #1 0x107926168 in mrb_vm_exec vm.c:1905
    #2 0x10790e14f in mrb_vm_run vm.c:860
    #3 0x107941eff in mrb_top_run vm.c:2750
    #4 0x107a13fb5 in mrb_load_exec parse.y:5780
    #5 0x107a14905 in mrb_load_file_cxt parse.y:5789
    #6 0x1077ad7c6 in main mruby.c:227
    #7 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)

==17700==Register values:
rax = 0x0000000000000000  rbx = 0x00007fff5844ae80  rcx = 0x000060b00000aa58  rdx = 0x0000100000000000
rdi = 0x0000000000000050  rsi = 0x0000100000000000  rbp = 0x00007fff5844b1d0  rsp = 0x00007fff5844ae20
 r8 = 0x00007fff5844ae60   r9 = 0x0000000000000000  r10 = 0x00001c280000148c  r11 = 0x0000100000000000
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffeb08a450  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vm.c:310 in ecall
==17700==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

@matz matz closed this in e3438f4 May 26, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment