New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in OP_GETUPVAR #3668

Closed
clayton-shopify opened this Issue May 26, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented May 26, 2017

The following input demonstrates a crash when supplied to mirb:

a = []
f = Fiber.new do
    x
end
[].call f.resume
g = Fiber.new do end
x = {}
r = RangeError.new x = []
a = Fiber.new do
    r.to_a
end
class Z < a
end
r.resume

ASAN report:

==70995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000088f0 at pc 0x000102bb32f8 bp 0x7fff5d44c850 sp 0x7fff5d44c000
READ of size 16 at 0x6060000088f0 thread T0
    #0 0x102bb32f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    #1 0x102913228 in mrb_vm_exec vm.c:1073
    #2 0x10290da5f in mrb_vm_run vm.c:860
    #3 0x1027ab6f9 in main mirb.c:549
    #4 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)

0x6060000088f0 is located 16 bytes to the left of 49-byte region [0x606000008900,0x606000008931)
allocated by thread T0 here:
    #0 0x102bbc520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x1028a14df in mrb_default_allocf state.c:57
    #2 0x102822158 in mrb_realloc_simple gc.c:203
    #3 0x1028228ae in mrb_realloc gc.c:217
    #4 0x102823333 in mrb_malloc gc.c:238
    #5 0x1028a53cc in str_new string.c:73
    #6 0x1028a4ebf in mrb_str_new string.c:193
    #7 0x1027ca62e in packed_backtrace backtrace.c:177
    #8 0x1027ca0b5 in mrb_keep_backtrace backtrace.c:190
    #9 0x10280d535 in mrb_exc_set error.c:249
    #10 0x10280e397 in mrb_exc_raise error.c:260
    #11 0x102810dbd in raise_va error.c:345
    #12 0x102810984 in mrb_raisef error.c:354
    #13 0x1027d3ec2 in mrb_vm_define_class class.c:289
    #14 0x1029390c4 in mrb_vm_exec vm.c:2562
    #15 0x10290da5f in mrb_vm_run vm.c:860
    #16 0x1027ab6f9 in main mirb.c:549
    #17 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c0c000010c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c000010d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c000010e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c000010f0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x1c0c00001100: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
=>0x1c0c00001110: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa[fa]fa
  0x1c0c00001120: 00 00 00 00 00 00 01 fa fa fa fa fa 00 00 00 00
  0x1c0c00001130: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c0c00001140: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x1c0c00001150: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x1c0c00001160: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==70995==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment